July 24, 2013

New NSA Security Rule in Light of Snowden Data Breach

 Last month, Security Checks stated in our "NSA Data Breach: USB Flash Drive" post that the NSA would likely implement tighter security protocols in response to the Edward Snowden data breach. We knew it was coming, the question was what?  With a name like National Security Agency, the possibilities are as limitless as one's imagination.

As mentioned in that post, Snowden used a USB flash drive (also often referred to as thumb drive) to download top secret information about U.S. surveillance programs. For basic network users, USB flash drives are prohibited. However, Snowden was able to by pass that security feature since he had elevated access permissions as a system administrator. Lucky him!
The simplest approach to a security vulnerability is implementing a procedural change, and that is what the NSA did. It's rather ironic that the high tech agency would use a low tech approach.  The new NSA procedure requires two system administrators to work simultaneously when they access highly classified networks. They call this the two-man rule, or two-person integrity (TPI), which is a common security practice often used around highly sensitive material. This simple procedure makes sense considering:
  • The top secret classification on the material Snowden removed means the information was determined to cause exceptionally grave damage to national security. This definition is in accordance with Executive Order 13525, Classified National Security Information; the primary U.S. Executive Branch classification system document.
  • The system administrators' elevated permissions permit them to bypass the security features for typical network users.
You don't need overly complicated processes and gizmos to be effective. The NSA Director, General Keith Alexander stated at the Aspen Security Forum that the new rule will likely make their jobs more difficult. Granted this procedure takes the convenient factor out, but security is not about convenience, and I doubt this would have significant impact on their overall mission.  Additionally, "he described future plans to keep the most sensitive data in a highly encrypted form, sharply limiting the number of system administrators - like Mr. Snowden - who can move data throughout the nation's intelligence agencies and the Department of Defense." (Sanger and Schmitt, 2013)
An interesting note from the New York Times article covering this event, "Mr. Carter, a physicist and former Harvard professor who has worked at the Pentagon since the beginning of the Obama administration, blamed the leak of highly classified data partly on decisions made after the investigations into the intelligence failures surrounding the September 11, 2001 terrorist attacks....the pressure to recompartmentalize information is bound to raise questions about whether the government is restoring a system that ultimately, was blamed for many of the failure to 'connect the dots' before the 2001 attacks." (Sanger and Schmitt, 2013)
Within the 500 page plus 9/11 Commission Report, there are numerous intelligence failings mentioned, but it primarily faulted the pre-September 11th stove-pipe mentality that prevented intelligences agencies from collaborating information. 
Dilanian, K. (2013 June 13). Officials: Edward Snowden took NSA secrets on thumb drive. L.A. Times. Retrieved from http://www.latimes.com/news/politics/la-pn-snowden-nsa-secrets-thumb-drive-20130613,0,791040.story
Franceschi-bicchierai, L. (2013 June14). Snowden stole secret NSA documents with a flash drive. Mashable.  Retrieved from http://mashable.com/2013/06/13/snowden-nsa-thumb-drive/

Sanger, D. and Schmitt, E. (2013 July 18) N.S.A. imposes rules to protect secret data stored on its networks. New York Times. Retrieved from http://www.nytimes.com/2013/07/19/us/military-to-deploy-units-devoted-to-cyber-operations.html?src=recg&_r=0 

July 23, 2013

SIM cards vulnerable to hacking

Germany based Security Research Lab's Mr. Karsten Nohl recently warned about a security design flaw found in roughly 750 million Subscriber Identity Modules (often referred to as SIM cards) that leave mobile phone users vulnerable to remote hacking.
He plans to present more information at the July 31, 2013 BlackHat Conference in Las Vegas, and the August 3, 2013 OHM hacker camp.
For those unfamiliar with SIM cards, "they enable the phone to receive signal from a mobile phone company...SIM cards are encoded with information about the carrier that you are using..." (eHow) Basically, it is the plastic circuit board near the phone battery that houses the phone's unique authentication signature identifying the phone to mobile networks. You could say that the authentication code is like your phone's version of a social security number or tax identification. "SIM cards are the de facto trust anchor of mobile devices worldwide. The cards protect the mobile identity of subscribers... and increasingly store payment credentials..." such as mobile banking. (Nohl, 2013) Mr. Nohl discovered this authentication code by sending a text message pretending to be a network carrier communication message. Some mobile phones responds back with an error message including an encrypted authentication code. Half of the encrypted authentication codes from the error message were based on the 1970s Digital Encryption Standard (DES) coding system, which can be cracked within a few minutes on a standard computer. (BBC, 2013)
Forbes magazine, Parmy Olson reported that Mr. Nohl and "his team tested close to 1,000 SIM cards for vulnerabilities, exploited by simply sending a hidden SMS. The two-part flaw, based on an old security standard and badly configured code, could allow hackers to remotely infect a SIM with a virus that sends premium test messages (draining a mobile phone bill), surreptitiously re-direct and record calls, and - with the right combination of bugs - carry out payment system fraud...There's no obvious pattern to the flaw beyond the premise of an older encryption standard...."
Combined with other techniques in the wrong hands, this could be used as a surveillance tool. (BBC, 2013) Sadly, Mr. Nohl states there is little a user can do. All phone models are are vulnerable, including iPhone, Android, and BlackBerries. (Reuters, 2013) With this being said, Security Checks would like to point out that not all mobile phones contain this security vulnerability. The flaw is expected to be in 750 million phones worldwide. There are billions (yes, plural) of phones out there. Statistics are on your side, but you should still exercise caution when using your phone to access sensitive information.
 Mr. Nohl expects the wireless industry to respond quickly by providing an over-the-air download to protect users against this security flaw. He doubts cyber criminals had prior knowledge of this bug, but with the word already on the street they are probably working on trying to exploit it right now. Mr. Nohl suspects it would take them at least six months; hopefully, mobile phone networks will have a solution in place. According to a Forbes article cover this vulnerability, "at least two large carriers have already tasked their staff with finding a patch for the SIM vulnerability..." (Olson, 2013)
Mr. Nohl plans to delay publishing until December a survey showing which mobile phone users are the most prone. He does this to bide network carriers time to fix the issue.
BBC (2013 July 22). Millions of SIM cards are 'vulnerable to hack attack.' BBC News. Retrieved from http://www.bbc.co.uk/news/technology-23402988
eHow. "How does a SIM card work?" eHow tech. Retrieved on 23 July 2013 from http://www.ehow.com/how-does_5050449_sim-card-work.html 
Jennings, R. (2013 July 22). Another BYOD worry: Hacking via SIM-card vulnerability. Forbes Magazine. Retrieved from http://www.forbes.com/sites/netapp/2013/07/22/byod-phone-hacking-sim-card/
Nohl, K. (2013).  Rooting SIM cards. Security Research Labs. Retrieved on 23 July 2013 at https://srlabs.de/rooting-sim-cards/ 
Olson, P. (2013 July 21). SIM cards have finally been hacked, and the flaw could affect millions of phones. Forbes magazine. Retrieved from http://www.forbes.com/sites/parmyolson/2013/07/21/sim-cards-have-finally-been-hacked-and-the-flaw-could-affect-millions-of-phones/ 
Reuters. (2013 July 21). Update 1-UN warns on mobile cybersecurity bugs in bid to prevent attacks. Thomson Reuters. Retrieved from http://www.reuters.com/article/2013/07/21/mobile-hacking-idUSL6N0FR0JD20130721 
Enhanced by Zemanta

July 21, 2013

Security Vulnerability: tumblr iOS on iPad or iPhone

tumblr app makes
password vulnerable
Image from My Phone Daily
Today I read an article that provides a good example on why businesses should research new technology from a security perspective prior to integrating it into its organization.  Recently a reader from The Register, a global online tech publication, uncovered a security vulnerability when using Tumblr on any iPhone or iPad. For those not in the know, Tumblr is a popular microblogging meet social media platform, which could be a good fit into a business' marketing model. (Aamoth, 2013)
The reader's discovery came during a corporate audit to see if iOS applications could be used on business smartphones without inadvertently compromising sensitive business information. Thankfully the discovery came before hackers compromised business user accounts. According to The Register's July 17 article by John Leyden, "Tumblr's iOS app fails to log users in through a secure (SSL) server...As a result users' plaintext passwords are exposed..."(Leyden, 2013) 
Tumblr released a security update for iPhone and iPad apps to address this issue. Users are highly encouraged to immediately download and install the update. Additionally, users should change their passwords to reduce the risk of having their accounts taken over by a third party. (Gottfrid, 2013) When creating a new password, Security Checks recommends you use some of our tips in our "The commonly common password."

Aamoth, D. (2013 May 19). What is Tumblr? What you're about to read can only be fairly categorized as a technoerotic thriller. Time Magazine. Retrieved from http://techland.time.com/2013/05/19/what-is-tumblr/
Gottfrid, D. (2013 July 16). Important security update for iPhone/iPad users. Tumblr blog. Retrieved from http://staff.tumblr.com/post/55648373578/important-security-update-for-iphone-ipad-users 
Leyden, J. (2013 July 17). D'OH! Use Tumblron iPhone or iPad, give your password to the world. The Register. Retrieved from http://www.theregister.co.uk/2013/07/17/tumblr_ios_uncryption/