Monthly Archives: February 2018

What Is RFID Skimming?

Security breaches are increasingly affecting organizations across various domains as they heavily rely on technologies to reduce the operational costs and improve the work efficiency.

The United States is the world leader in data breach incidents. According to a report shared by the Identity Theft Resource Center in 2017, the security breach incidents in the U.S. hit a new record of 1579 breaches, exposing more than 171 million organizational and customer records. Moreover, the International Data Corporation estimates that by the year 2020, over 25 percent of the world’s population will be affected by data breaches and cyber crimes owing to mankind’s growing dependence on the latest technological advancements.


The Radio Frequency Identification (RFID) technology uses the radio-frequency magnetic fields to identify and track people, vehicles, and assets that carry RFID tags without the need for a direct contact.

Owing to its cost-effectiveness, the speed of operation, and the ease of use, this pervasive technology has replaced several obsolete technologies such as barcodes and magnetic swipe cards. Consequently, the RFID technology is being used in the supply chain management, the retail, the automated payment systems, the airline baggage management, the toll and parking systems, and the prescription management systems in healthcare. However, organizations need to be aware of and address a few security and privacy risks when adopting RFID.

Like most technologies and networks, RFID systems are also vulnerable to physical and electronic attacks, namely reverse engineering, power analysis, eavesdropping, sniffing, denial of service, cloning, spoofing, and viruses. As this technology matures and finds numerous applications, hackers will continue to seek novel methods in order to access private information, infiltrate secure networks, and take the system down for their own gains.

RFID tags can receive and respond to a variety of signals, increasing the risk of unauthorized access and modification of the data on the tag. In other words, any unlawful individual who has an RFID card reader can interrogate tags and access its contents.


A new breed of digital pickpocketers armed with RFID card readers can pick up details of credit and debit cards in a matter of seconds. Similarly, attacks on POS (point of sales) systems can cause large-scale security breaches. For instance, in December 2013, hackers gained access to the RFID-enabled POS system of Target Stores, a US-based retail giant, by installing card readers to track the card details of more than 40 million customers.

This technology is becoming increasingly relevant to businesses. Consequently, it is crucial for organizations to mitigate future security attacks by employing encryption methods, chip coatings, and signal-blocking and authentication methods. For instance, wrapping the RFID-enabled card in a metal foil or investing in RFID blocking wallets, passport pouches, and sleeves can block unauthorized RFID-card readers from accessing private data, preserving your organization’s authenticity, integrity, and confidentiality.

The infographic below is a handy guide towards understanding RFID skimming and data theft. It will help you understand how hackers can misuse the RFID technology to gain access to your confidential data, increasing the risk of identity thefts and frauds. Moreover, you will also find practical tips on how you can protect your organization and employees from these malicious attacks.




via:  tripwire

Veil is private browsing for the ultra-paranoid

If you’re worried about someone finding out what you’re pointing your browser at, there are plenty of options for keeping it secret, with varying levels of difficulty and effectiveness. Veil takes things further than perhaps any other anonymous browsing method by masking the page you’re viewing not just from would-be attackers, but from your own operating system.

The problem, as the MIT researchers behind Veil explain in a new paper outlining the service, is that private browsing modes, even ones using Tor and other measures, can still leave a trace of your history on the device itself, in RAM or temporary storage.

When you visit a page, even anonymously, that page and its components still have to be loaded into memory, displayed and cached, libraries or plugins perhaps accessed or modified. The browser may try to delete these traces, but success can vary depending on how things are set up. A sort of ghost version of your activity may live on in your RAM, even if it’s just a hash of some data or timestamp.

“The fundamental problem is that [the browser] collects this information, and then the browser does its best effort to fix it. But at the end of the day, no matter what the browser’s best effort is, it still collects it,” explained MIT graduate student Frank Wang, the lead author of the paper, in a news release. “We might as well not collect that information in the first place.”

Veil takes things several steps further by handling delivery of the site via what they call a “blinding server.” You enter the URL into the site and the page is retrieved for you from the special servers, encrypted in transit and in your browser cache, and only decrypted for your viewing. Links and URLs are themselves encrypted so they can’t be linked to the content requested.

Furthermore, it injects invisible garbage code into the page while also “mutating” the content (again, invisibly) so that you could load it a thousand times on the same computer and although it would look the same to you, any resulting digital fingerprints like hash, payload size and so on would always be different.

This way your computer never actually registers the actual URL, never caches any of the data and any traces left won’t match up with any database or even each other.

In the most extreme privacy case, users don’t even interact with the actual webpage — just an image of it.

Converting webpages to Veil-compatible ones can be done via a special compiler provided by the researchers. It shouldn’t break anything, though it will add to the bandwidth used and requests served, owing to the mutations and extra crypto operations.

But wait, there’s more! For those of you worried that even that level of obfuscation isn’t enough, there’s an option that I’ve always considered a possibility but never seen executed: browsing via visual data alone.

If you want, Veil will instead of showing you the target site’s actual code, just take a screenshot and show you that. You can click on the screenshot and it will record the location of that click, then transmit it to the actual page, returning a screenshot of the result.

The next step, I suppose, will be to employ a robot that looks at a completely separate computer somewhere and tells you what it sees in pig Latin. Onnection-cay ecure-say!

Of course, this isn’t a zero-trust situation: the blinding servers will, like Tor nodes, be run by volunteers and organizations that could attempt to compromise the system (a site could also run its own). But if the process is mathematically and procedurally verifiable, you should be okay. Of course, security researchers will want to audit the code.

Veil was presented this week at the Network and Distributed Systems Security Symposium in San Diego. You can read the full paper here.


via:  techcrunch

The Role of the CISO in Preventing Data Breaches

In these times of unabated data breaches, the typical Chief Information Security Officer (CISO) must feel like a moving target in a shooting gallery. It’s not a matter of whether an attack and possible breach will occur, it’s a matter of when. Being a CISO is a fascinating and important job. Often, though, it’s a thankless one.

Unfortunately for CISOs, their role is one of the positions held most accountable when a data breach occurs. According to one survey, 21 percent of IT decision-makers would most likely blame a data breach on the CISO, ranking second only behind the CEO.

CISOs can – and should – take steps well in advance to mitigate the possibility of their company falling victim to a data breach. And should a breach occur, this will help them hang on to their position.

In this article, we explore some of the ways that CISOs can avoid being perceived as a mere scapegoat and suggest how they can contribute in a more meaningful way to the company’s IT security posture and even enhance the organization’s brand.

What is a CISO?

Since the CISO role has only been in existence for a decade or two, some people aren’t even sure what the CISO does. This may contribute to the casting of blame after a data breach. In short, the CISO (chief information security officer) is the senior-level executive who’s responsible for executing and overseeing the company’s cybersecurity strategy.

CISO responsibilities may include:

  • Hiring IT security staff
  • Conducting employee security awareness training
  • Developing secure business policies and practices
  • Planning for disaster recovery
  • Monitoring the IT environment for vulnerabilities and abnormal events
  • Ensuring the privacy and security of customer data
  • Identifying the most important security metrics and KPIs
  • Evaluating and purchasing security products from vendors
  • Managing responses to cybersecurity incidents
  • Verifying the company’s compliance with laws and regulations

With IT environments becoming increasingly more complex and vulnerable by the day, the responsibilities of the CISO have expanded over time. Handling all of these obligations appears to be an impossible and somewhat underappreciated task. According to one estimate, the average tenure of a CISO is 18 months. Although it’s prestigious and well-paid, the CISO role is a high-stress one where firings and resignations are more common than in other executive positions.

How Can CISOs Protect the Company and Themselves?


If a security flaw is found in an organization’s IT infrastructure, but that information is shielded from the public, will the CISO be fired? Operational transparency is key. That means comprehensive, accurate, and consistent reporting of vulnerabilities, any non-compliant infrastructure, and data security incidents — no matter how minor they may seem. As a best practice, this open approach can aid in the prevention as well as detection, identification, and investigation of the inevitable data breach when it occurs.

In one particularly egregious case, a CISO promised thousands of dollars to a penetration tester who discovered a vulnerability in the company’s server but then failed to report the problem to the CEO. The CISO also did not pay the tester and continued to ignore the tester’s attempts at contact. Fortunately, the CEO fired the CISO immediately once he discovered this negligence in failing to share the information and pay the person responsible for finding the vulnerability.


CISOs should focus on hiring the right security professionals for the job whatever their background may be. The “skills gap” in tech is even more pronounced in IT security, and many security professionals are self-taught. At IBM, 20 percent of U.S. cybersecurity hires in the past three years are so-called “new-collar” positions, which emphasize aptitude, skills, and competence over degrees and previous careers.

This shift in hiring means that CISOs can prioritize on-the-job employee training and focus on finding the optimal aptitude and best cultural fit rather than the “right” degree. CISOs can use tests during the hiring process in order to assess candidates’ decision-making skills, ability to learn, and aptitude for handling security issues.


In recent years, the CISO has reached a level of strategic importance in many organizations that is equal to the CIO (chief information officer). This means that the CISO fully deserves a place at the table in the executive boardroom.

One common trend for company hierarchies is to have the CISO report directly to the CEO, which helps improve their working relationship. Although CISOs can do little to control the company’s reporting structure, it’s important that their voice is heard by the executive team since so much of an organization’s business continuity and brand reputation rests upon successful data security strategy and execution.


Legacy data security architectures that utilize firewalls and IDS/IPS have become insufficient at providing the protection that’s required to ensure the safety and privacy of the data environment.

Forrester notes in a recent data security report that “perimeter-based approaches to security have become outdated. Security and privacy pros must take a data-centric approach to make certain that security travels with the data itself—not only to protect it from cybercriminals but also to ensure that privacy policies remain in effect.”

Due to the highly valuable sensitive data that they possess, financial services organizations are particularly susceptible to insider threats. Implementing an encryption solution provides true data-centric protection and guards against unauthorized access to data stores, helping to reduce and prevent data exfiltration by insiders and outsiders alike. This supports the Center for Internet Security’s (CIS) data protection recommendation. The CISO must also give careful consideration to who has access to any and all encryption keys, reinforcing CIS’s controlled use of administrative privileges.

Other solutions that the CISO must be responsible for choosing are vulnerability assessment software and monitoring solutions.


One of the primary responsibilities of CISOs is making employees more aware of security issues like malware and phishing and helping them to adopt best practices. Knowing about cyberattack techniques and preventative actions is meaningless unless the CISO works to share that information with the rest of the organization.


Even with all the right precautions in place, cyberattacks can still happen as hackers become more aggressive and sophisticated. CISOs who can reduce or eliminate dwell time by identifying and containing the threat as soon as possible will minimize the disruption and damage to the business, succeeding where other CISOs have failed. Investing in advanced security tools and technologies like data-centric audit and protection, which leverages analytics and machine learning, can reap massive dividends for both CISOs and their organizations.

Final Thoughts

CISOs are an incredibly important resource, but all too often they find themselves the scapegoat in the event of a data breach. However, there are steps that CISOs can take to protect themselves and their company:

  • Building the right team
  • Establishing ongoing education and training programs
  • Choosing the right tools and solutions
  • Providing consistent reporting
  • Staying in close communication with leadership

CISOs who proactively perform these activities will not only improve their organizations’ security posture; they will decrease the likelihood of finding themselves out of a job when the inevitable occurs.



via:  tripwire

Amazon’s latest Prime perk is free shipping on its deals site Woot!

Eight years after Amazon snatched up the daily deals site Woot!, the retailer is now leveraging the site to serve as another perk for Prime members. Woot! this morning announced that it will begin offering free shipping on purchases from its site to all Amazon Prime members.

Woot!, which was founded in 2003, is no longer the household name it used to be back when Amazon acquired it in 2010 for $110 million. At the time, the site had gained popularity for its gimmick of “one deal per day,” which drove engagement, traffic and, of course sales, as quantities were limited.

Woot! was also well-known for its sense of humor, which continues today with its announcement of the Prime deal. In it, the company writes: “YEP. YOU’RE WELCOME,” and then proceeds to quote its monkey mascot, Mortimer.

In the years following Amazon’s acquisition, Woot! distanced itself from the one-deal-a-day format, and now features a variety of special deals, including several limited-time offers across categories like computers, electronics, home and sporting goods and more.

However, it makes sense that Amazon would bring Woot! into the fold, given that roughly one-third of Woot!’s traffic comes from, according to data from SimilarWeb, which also claims the site saw 16.8 million visits in January, 2018.

This is not the first time Amazon has brought one of its subsidiaries into the Prime membership program. In September 2016, Amazon added free audiobooks and podcasts from Audible to its list of Prime perks, and a variety of upgrades and special features for gamers with the launch of Twitch Prime.


via:  techcrunch

Google Assistant will support over 30 languages by year-end, become multilingual

Google Assistant, the search giant’s answer to Alexa that lives on Android smartphones, tablets, and Google Home speakers, will expand to more languages over the course of the year, to cover 95 percent of all eligible Android smartphones, Google announced this morning. It will also soon become multilingual – meaning users who speak more than one language will be able to talk to Assistant in all the languages they speak, as well.

The latter feature will be especially helpful for those who speak their native language in their home, but may speak a different language with local friends or at work, for example.

Though Google Assistant is capable of understanding different languages, there wasn’t a way to easily switch between them before – you’d have to configure your language selection in the app’s settings. This feature will make talking to the assistant more natural.

Multilingual support will first be available in English, French and German when it rolls out later this year, but more languages will be added in time, the company says.

Google Assistant’s global footprint is also growing, the company says.

This year, the smart assistant will jump from being available in 8 languages to more than 30. Over the next few months, the Assistant will learn to speak Danish, Dutch, Hindi, Indonesian, Norwegian, Swedish and Thai on Android phones and iPhones. By year-end, it’s expected to reach 95 percent of Android smartphones worldwide capable of running Google Assistant.

This will also give Google Assistant an advantage over rivals like Siri and Alexa, which have more limited language support. Amazon may have expanded Echo speakers to more markets around the world, but it hasn’t localized the device for those locations – Alexa only speaks English, German and Japanese. Meanwhile, one of Siri’s biggest strengths had been the fact that it could speak over 20 languages.

The added language support was one of several updates for Google Assistant announced this morning, including also an Assistant Mobile OEM program, to help mobile manufacturers more deeply integrate with Assistant, and the launch of Routines and location-based reminders, rolling out next week.


via:  techcrunch

AWS Makes Permissions Check Feature Free to Prevent S3 Bucket Breaches

Amazon Web Services (AWS) has made its Permissions Check feature freely available to help customers prevent an S3 bucket breach.

On 20 February, Amazon made the announcement in a news update:

AWS Trusted Advisor now helps all customers better secure their data by providing the S3 Bucket Permissions check for free! Previously available only to Business and Enterprise support customers, this check identifies S3 buckets that are publicly accessible due to ACLs or policies that allow read/write access for any user.

Permissions Check examines ACLs and policies (not ACL objects) to determine if an S3 bucket provides public read or write access. It then labels the permissions of each bucket as Public, Not public* (ACL objects could be publicly accessible), Access denied, Error, or Undetermined. Customers can also gain more specific insight in the Search for buckets drop-down list by choosing Buckets with public read access, Buckets with public write access, and Buckets with any type of public access (read or write).

The statement made by AWS Trusted Advisor goes on to note that Business and Enterprise support customers can use Permissions Check to enable automated actions by integrating with CloudWatch Events.

To learn more about AWS Trusted Advisor’s Permissions Check feature, click here.

List buckets view with Public button highlighted at the top. (Source: AWS Documentation)

AWS Trusted Advisor’s decision to make its Permission Checks feature follows on the heels of several high-profile S3 bucket breaches in 2017 including incidents at Booz Allen Hamilton, the Pentagon, and Verizon. In the wake of those events, security researchers have taken it upon themselves to leave “friendly warnings” on AWS S3 accounts with exposed data or incorrect permissions. But that’s no substitute for working to prevent another AWS S3 storage breach.

Here are some recommendations on how you can keep your AWS S3 bucket data private.


via:  tripwire

Most Orgs Worried Skills Gap Will Leave Them Exposed to Security Flaws

Over the past couple years, it has become more challenging to hire adequately skills cybersecurity professional. I Tripwire survey showed the following results which cover which technical skills are most needed and what organizations plan to do about ensuring they show up in their expanding security workforce.

In Tripwire’s survey, there was large agreement that security teams will need to keep sharpening their technical skills in order to keep up with advanced threats. Seventy-nine percent of respondents said they believe the need for technical skills among security staff has increased over the past two years, with the majority citing network monitoring, IT fundamentals, and vulnerability management as most important.

Even more concerning, almost half of the survey participants were concerned about their teams losing certain skills altogether. Of those, 52 percent were concerned about staying on top of vulnerabilities, 29 percent were concerned with keeping track of devices and software on the network, and 24 percent were concerned about identifying and responding to issues in a timely manner and staying on top of emerging threats. These fears are concerning and perhaps surprising since they pertain to the retention of absolute basic security essentials in every one of their IT security professionals.

Tim Erlin, vice president of product management and strategy at Tripwire, says this anxiety among survey participants isn’t unfounded:

“Considering the recent high-profile threats that have been attributed to unpatched systems, it’s no wonder respondents are concerned that a technical skills gap could leave their organizations exposed to new vulnerabilities. I’m encouraged to see that respondents are prioritizing skills for foundational security controls, such as vulnerability management and network monitoring, when they’re hiring.”

Teams also voiced their intention to keep up with the advancement of the cloud, the Internet of Things (IoT), and DevOps. Eighty-eight percent said they expect the need for expertise in the cloud to increase, while 77 percent indicated a growing demand for IoT expertise as well as for DevOps. Most security teams disclosed they might turn to outside help to satisfy this need. Ninety-seven percent said technology vendors can help address the skills gap, so it’s not surprising that 91 percent of respondents revealed they will outsource security skills to help address the technical skills gap.

Erlin thinks that’s a logical move:

“Growing adoption of cloud, IoT, and DevOps brings about new challenges that security teams will need to keep up with, and if organizations want to bridge a technical skills gap, they should look to work with security vendors and managed security providers who can help them address today’s major attack types while also offering training to their existing IT teams. As security continues to become an even bigger challenge for organizations, we can expect to see more and more businesses outsource to gain security expertise in the future.”

In earlier posts, we covered the need for more women in cybersecurity and a blended training/education approach for closing the gap on technical skills.

How do you think the industry can build a better funnel of technically adequate cybersecurity professionals? What else should security teams be considering? Please let me know in the comments!


Skills Gap Pt 2 d1


via:  tripwire

When patient safety, privacy, confidentiality and security collide

The Latin phrase “primum non nocere” is a fundamental principle for physicians. It serves as a reminder that the patient’s well-being is the primary consideration in a doctor- patient relationship, regardless of any proposed intervention or procedure. Originally the term was coined to remind physicians to consider the potential harm of treatment therapies compared with taking no action. With today’s heightened focus on privacy, security, and safety, the concept of primum non nocere takes on expanded meaning.

For medical professionals, safety is almost always the number one concern when treating patients: a physician will avoid prescribing a “cure” that has a high likelihood of harming his or her patient. Exceptions are warranted when the patient (and usually the family) is well informed of the risks of “investigational” or unorthodox treatments with the goal of palliation or remission without a likely cure. “End of life” scenarios also encompass this approach.

Patient privacy as enshrined in the 2,500-year-old Oath of Hippocrates, is also a high priority for physicians, which is why providers take proactive measures to ensure the security of patient medical records.

Sometimes privacy, confidentiality, security, and safety concerns collide. If a physician or an organization fails to have adequate security for its electronic health records (EHRs), patient privacy can be easily violated. If too much security is in place, the right people – including the patient, a physician, or family members – can’t access records when they need it.

Protecting privacy while enhancing patient safety

Numerous state and federal regulations exist to protect the privacy of patient record, most notably the HIPAA Privacy rule and its revisions. If a patient is diagnosed with substance use disorder (SUD), privacy laws usually allow the patient to withhold this information from employers, potential employers, or even family members. In some states, however, privacy concerns are at odds with programs designed to keep patients safe.

All but one state currently has a prescription drug monitoring program (PDMP) that is either live or in the process of being implemented. PDMPs help keep physicians well-informed about their patients’ controlled substance prescribing histories based on the collection and analysis of data from prescribers and pharmacists. Each state has its own PDMP laws, and while only a handful require physicians to consult PDMPs prior to prescribing controlled substances, that number is growing.

PDMPs are designed to keep data around what used to be officially termed “Dangerous Drugs” – with considerable abuse and addiction potential – very restricted to only selected individuals. These individuals are usually certain law enforcement officers and treating providers, depending on the particular state regulations. These restrictions help with confidentiality and attempt to aid patient safety by protecting individuals from predatory and unethical practices.  In addition, when prescribers have access to PDMP information at the point of prescribing, they are better equipped to assess risk and have meaningful, serious conversations with patients about their controlled substance histories. This is particularly critical with Opioids where accidental overdose deaths are skyrocketing over the past decade. In this way, PDMPs help prescribers – and law enforcement officials – identify individuals who may be “doctor-shopping” as well as physicians who might be “overprescribing” controlled substances.

Despite the benefits of PDMPs, some physicians and patients are concerned about the privacy risks. PDMPs store details about controlled substance prescriptions in statewide databases that could be breached if not adequately secured. Patients who fear having their prescription drug history made public may avoid seeking needed care, or, resort to illicit – and far less safe – alternatives, such as street based fentanyl or heroin.

Many states hesitate when asked to share PDMP information with other states, citing privacy concerns, which can have a negative impact on patient safety and also add to the stigma surrounding both addiction and its treatment. Unfortunately, many people that would benefit from properly authorized prescribers having access to their medication history can easily circumvent these programs by crossing state lines.

Balancing privacy and security risks

Of course, any time clinical data is electronically stored or shared, the risk of unauthorized access increases. Physicians must weigh the privacy and security risks of EHRs, including electronic prescribing of medications and clinical record sharing. Patient safety and outcomes are enhanced when all properly authorized caregivers have access to a patient’s medical records. This is particularly critical when treating patients with known and documented histories of chronic high-dose opioids and/or addiction. E-prescribing of controlled substances (EPCS) further enhances safety when used with clinical decision support tools to alert prescribers and pharmacists of possible adverse drug-drug and other interactions or duplicate therapies. When combined with PDMP data in the same prescribing workflow it enhances provider productivity and makes direct, face to face discussions with patients around medication safety more likely.

Keeping patients free from harm must always be the top priority for physicians. Recent technologies are now available to help medical professionals hold to this ancient promise. However, as we continue to design and implement solutions to boost safety, the patient’s right for privacy must also remain a priority. Safety, privacy confidentiality and security act in balance with each other and changes to one impacts another. To advance adoption of safety-enhancing technologies, physicians and their patients need assurances from health systems, vendors, and the government that confidential clinical information is secure, inaccessible to unauthorized users and enforced with appropriate penalties for those who violate that trust.


via:  linkedin

Top 10 Mobile App Security Best Practices for Developers

While you were busy developing the most intuitive, innovative and exciting apps, security breaches shook up the cyber world and made off with millions of dollars. If you begin to take into perspective the kind of relationship we have with our smartphones and mobile apps today, you’ll see that an enormous share of our life-critical information is floating about in the ether, accessible to a slew of cybercriminals.

With one break-in, criminals could know our name, age, home address, account numbers and even our current location precise to a few meters. Enterprise applications exchange exceedingly sensitive information that attackers are constantly on the prowl for.

With that kind of information at stake, mobile app developers need to do everything they can to protect their users and clients. Here are 10 ways developers can build security into their apps:

1. Write a Secure Code

Bugs and vulnerabilities in a code are the starting point most attackers use to break into an application. They will try to reverse engineer your code and tamper with it, and all they need is a public copy of your app for it. Research shows that malicious code is affecting over 11.6 million mobile devices at any given time.

Keep the security of your code in mind from the day one and harden your code, making it tough to break through. Obfuscate and minify your code so it cannot be reverse engineered. Test repeatedly and fix bugs as and when they are exposed. Design your code so it is easy to update and patch. Make sure you keep your code agile so it can be updated at the user end post a breach. Use code hardening and code signing.

2. Encrypt All Data

Every single unit of data that is exchanged over your app must be encrypted. Encryptionis the way of scrambling plain text until it is just a vague alphabet soup with no meaning to anyone except those who have the key. This means that even if data is stolen, there’s nothing criminals can read and misuse.

You can understand the power of encryption when organizations like FBI and NSA are found asking for permission to access iPhones and decode WhatsApp messages. If they can’t break through willfully, hackers sure can’t.

3. Be Extra Cautious With Libraries

When using third-party libraries, be doubly careful and test the code thoroughly before using it in your app. As useful as they are, some libraries can be extremely insecure for your app. The GNU C Library, for instance, had a security flaw that could allow attackers to remotely execute malicious code and crash a system. And this vulnerability went undiscovered for over seven years. Developers should use controlled internal repositories and exercise policy controls during acquisition to protect their apps from vulnerabilities in libraries.

4. Use Authorized APIs Only

APIs that aren’t authorized and are loosely coded can unintentionally grant a hacker privileges that can be misused gravely.  For example, caching authorization information locally helps programmers easily reuse that information when making API calls. Also, it makes coders’ life easier by making it easier to use the APIs. However, it also gives attackers a loophole through which they can hijack privileges. Experts recommend that APIs be authorized centrally for maximum security.

5. Use High-Level Authentication

In the wake of the fact that the some of the biggest security breaches happen due to weak authentication, it is becoming increasingly important to use stronger authentication. Quite simply, authentication refers to passwords and other personal identifiers that act as barriers to entry. Indeed, a large part of this depends on the end users of your application, but as a developer, you can encourage your users to be more sensitive towards authentication.

You can design your apps to only accept strong alphanumeric passwords that must be renewed every three or six months. Multi-factor authentication is gaining prominence, which involves a combination of static password and dynamic OTP. In case of overly sensitive apps, biometric authentication like retina scan and fingerprints can be used too.

6. Deploy Tamper-Detection Technologies

There are techniques to set off alerts when someone tries to tamper with your code or inject malicious code. Active tamper-detection can be deployed to make sure that the code will not function at all if modified.

7. Use the Principle of Least Privilege

The principle of least privilege dictates that a code should run with only the permissions it absolutely needs and no more. Your app shouldn’t request for any more privileges than the minimum required for it to function. If you don’t need access to the user’s contacts, don’t ask for it. Don’t make unnecessary network connections. The list goes on and largely depends on the specifics of your app, so perform continuous threat modeling as you update your code.

8. Deploy Proper Session Handling

“Sessions” on mobile last much longer than on desktops. This makes session handling harder for the server. Use tokens instead of device identifiers to identify a session. Tokens can be revoked at any time, making them more secure in case of lost and stolen devices. Enable remote wiping of data from a lost/stolen device and also enable remote log-off.

9. Use the Best Cryptography Tools and Techniques

Key management is crucial if your encryption efforts have to pay off. Never hard code your keys as that makes it easy for attackers to steal them. Store keys in secure containers and never ever store them locally on the device. Some widely accepted cryptographic protocols like MD5 and SHA1 have proven insufficient by modern security standards. Stick to the latest, most trusted APIs, such as 256-bit AES encryption with SHA-256 for hashing.

10. Test Repeatedly

Securing your app is a process that never ends. New threats emerge and new solutions are needed. Invest in penetration testing, threat modeling, and emulators to continuously test your apps for vulnerabilities. Fix them with each update and issue patches when required.

The iconic data breaches of 2017 like WannaCry and NotPetya have definitely gotten everyone to rise up and take notice of the importance of cyber security, and the coming years will see everyone from organizations to consumers taking security more seriously than ever. Security will become a bigger differentiator in the success of apps than usability and aesthetic appeal.

The above guidelines will help you keep your app security tight as an oyster and keep your clients and users happy.


via:  tripwire

Improving Security without Destroying Careers – Overcoming the Blame Game

I was sitting in an awesome class being held at @BSidesHSV, and it got me thinking.

The class entitled “Fundamentals of Routing and Switching for Blue and Red Teams” put on by Paul Coggin was a deep dive into layer two and layer three configurations, and possible means of compromise. The content was outstanding, and Paul did a great job communicating a very difficult topic.

Throughout the class, Paul relayed many stories of compromises and attacks (all done in a completely generic manner, of course), and I couldn’t help but put myself in the shoes of the poor sap that made the choices leading to the compromise or unexpected result. I thought to myself this could easily be me in a different scenario. In spite of my knowledge and experience, I feel like we are all just one “screw up” away from the unemployment line.

I have over 20 years experience in a multitude of technologies and consider myself to have advanced skills in many areas. That said, I am not deluded. Today’s class served to remind me that no matter how much real world experience I have, there is always something I can learn and something that I don’t know. And its that one thing that I don’t know and don’t implement that could be a career limiting move.

Mulling over those thoughts, I realized that this just should not be. But unfortunately, the world operates this way but why? I think it comes down to this – a moral society is always looking for justice for moral wrongs committed within that society.

This is what makes civilized societies stable, safe and orderly. Unfortunately, we have generally adopted that same “justice at all costs” in the infosec world when poor security practices lead to compromise or outages, but we forget that those getting the blame haven’t committed any moral sin against society.

The scenario goes like this:

  1. Big Boy Company, Inc. experiences a data breach
  2. CEO of Big Boy Company does damage control then blames CISO
  3. CISO denies fault while seeking an underling to blame
  4. Eventually, CISO names Employee X as the lynchpin
  5. Employee X loses their job, their reputation and possibly career
  6. In the background, CEO, CISO and rest dump stock before story breaks

All this happens because everyone wants “justice” and wants a simple answer as to why this terrible thing happened. The problem is technical shortcomings, unless blatantly done for malicious purposes, don’t equate nor align with those moral crimes against society for which we seek justice in a criminal court. Yet, the public and the organization wants somebody upon which to hang all blame.

This fallacy is preventing us as a profession from moving forward and solidly improving security practices. Why? Unless the person getting canned (blamed) is completely incompetent (in which case, why were they in that position in the first place?), removing them means you just removed the most experienced and well-versed employee you had at that level.

In case you haven’t noticed, there is a shortage of qualified and educated infosec workers. Now your organization has to find a replacement, train them and get them up to speed.

In the meantime, don’t you think you just greatly increased the likelihood of another attack since you just let the world know you took out your star? Malicious actors read the news, fully expect the upheaval and will take advantage.

While the poor employee who lost their job and reputation and fights to retain their career, the C-level people share kudos among themselves celebrating their “resolution” and perceived increased security posture after having removed the “problem employee.” They keep their jobs and comfortable career. After the smoke clears, life returns to normal until the next breach that is!

I submit this is not how things should be. I keep going back to Kevin Mitnick and The Art of Exploitation written almost 15 years ago. We are still making the same mistakes today. What the heck is wrong with us?

So, how should we be approaching things? Businesses need to adopt a mindset that accepts the fact that tech employees need to spend about 25 percent or more of their work hours in training learning new skills, re-enforcing existing skills and keeping up with the latest trends in security and technology.

Next, employers need to listen to what these employees learn and adopt those things that will enhance their business security posture.

Training develops awareness. Awareness requires communication followed by management acceptance and action. Any breakdown in this chain leads to trouble.

Unfortunately, businesses today expect workers to “learn on their own time.” (for those those that can check out free cybrary.) They might reimburse the employee for their costs. Some even go as far as to provide access to things like Pluralsight and skillsoft or other training platforms. A step in the right direction, but one that overlooks two components: time and accountability.

Full-time employees have 2,080 hours per work year. Most are overworked, have too many expectations placed upon them, and are spending the bulk of their time responding to reactionary problems rather than proactively learning and fine-tuning their organizational security. And they are doing this knowing that they are one “screw up” away from walking the street.

Employees also don’t have clear expectations communicated to them. They are often not held accountable for their own self-improvement. Lack of sufficient time and accountability lead to less-than-stellar improvement in skills.

This is a travesty. Management needs to change their perception and implement policies that give their employees confidence and the freedom to fail without fear of being thrown under the bus. Managers are coaches, and their job is to develop talent. Build a time and dollar budget for every employee and provide them with the tools they need to better serve the organization. These investments will always be far less costly than any breach.

Management should protect their employees, take responsibility when bad things happen and implement positive policy change to increase security. Happy, fulfilled and growing employees are the best security investment you could ever make!



via:   tripwire