Law 7 – You Are the Weakest Link

laws7This post is the seventh post in a series of ten posts. The previous post explored the sixth law: Security is not stronger than its weakest link.  Although often neglected, the seventh law is fundamental.  It states that human users are often the weakest element of the security.

Humans are the weakest link for many reasons.  Often, they do not understand security or have an ill perceived perception of it.  For instance, security is often seen as an obstacle.  Therefore, users will circumvent it when security is an obstruction to the fulfillment of their task and will not apply security policies and procedures.  They do not believe that they are a worthwhile target for cyber-attacks.

Humans are the weakest link because they do not grasp the full impact of their security-related decisions.  How many people ignore the security warnings of their browser?  How many people understand the security consequences and constraints of Bring Your Own Device (BYOD) or Bring Your Own Cloud (BYOC)?  Employees put their company at risk by bad decisions.

Humans are the weakest link because they have intrinsic limitations.  Human memory is often feeble thus we end up with weak passwords or complex passwords written on a post-it.  Humans do not handle complexity correctly.  Unfortunately, security is too complex.

Humans are the weakest link because they can be easily deceived.  Social engineers use social interaction to influence people and convince them to perform actions that they are not expected to do, or to share information that they are not supposed to disclose.   For instance, phishing is an efficient contamination vector.

How can we mitigate the human risk?

  • Where possible, make decisions on behalf of the end user; as the end users are not necessarily able to make rational decisions on security issues, the designer should make the decisions when possible. Whenever the user has to decide, the consequences of his decision should be made clear to him to guide his decision.
  • Define secure defaults; the default value should always be set to that for the highest or, at least, an acceptable security level. User friendliness should not drive the default value, but rather security should.
  • Educate your employees; the best answer to social engineering is enabling employees to identify an ongoing social engineering attack. This detection is only possible by educating the employees about this kind of attack.  Training employees increases their security awareness and thus raises their engagement.
  • Train your security staff; the landscape of security threats and defense tools is changing quickly. Skilled attackers will use the latest exploits.  Therefore, it is imperative that the security personnel be aware of the latest techniques.  Operational security staff should have a significant part of their work time dedicated to continuous training.

Interestingly, with the current progress of Artificial Intelligence and Big Data analytics, will the new generation of security tools partly compensate this weakness?

If you find this post interesting, you may also be interested in my second book “Ten Laws for Security” that will be available end of this month.   Chapter 8 explores in details this law. The book will be available for instance at Springer or Amazon.

A “charitable” ransomware

This is not a joke. Heimdal Security disclosed a new variant of ransomware combining CryptoWall 4 and CryptXX. It has all the usual components of ransomware. The ransom itself is high: five bitcoins (about $2,200). Usually, ransoms are around $500.

In addition to the exceptional price, the ransomware adds some social engineering tricks. In the ransom screen, you will find: Your money will be spent for the children charity. So that is mean that You will get a participation in this process too. Many children will receive presents and medical help!

And We trust that you are kind and honest person! Thank You very much! We wish You all the best! Your name will be in the main donors list and will stay in the charity history!

So do not hesitate to pay, it is for the kiddies L

Moreover, there is an additional benefit.

Also You will have a FREE tech support for solving any PC troubles for 3 years!

Trust us L

Remember the best practices for avoiding ransomware:

  • Backup your computer(s) regularly; Use a physical backup (air gaped) rather than a cloud-based one (unless it is disconnected). A new generation of ransomware also encrypts remote or cloud-based servers.
  • Do not be infected; do no click on suspicious attachments or links in emails; avoid ‘suspicious’ websites.
  • Protect your computer(s); up to date OS and antivirus

Stealing account with mobile phone-based two-factor authentication

Attackers often entice users to become the weakest link.   Phishing and scams exploit the human weakness.  These attacks become even creepier if the attacker circumvents legitimate security mechanisms.   Two factor authentication offers better security than simple login/password.  The use of mobile phone as the second factor is becoming mainstream.  It is impossible to steal our account without stealing our phone.  We feel safer.  Should we?

Symantec reported a new used method to steal the account of users despite the use of a two-factor authentication.   Here is the scheme.

Mallory wants to gain access to Alice’s account.  He knows Alice email address and her mobile phone number as well as her account.  For a social engineer, this information is not difficult to collect.  It is part of the usual exploration phase before the actual hack.   Mallory contacts the service provider of Alice’s account and requests a password reset.  He selects the method that sends a digital code to Alice’s mobile phone.   The service provider sends an SMS to Alice’s mobile phone with this code. Simultaneously, Mallory sends an SMS to Alice impersonating the service provider.  Once more, this is not difficult as many providers do not use a specific number.  This SMS explains to Alice that there was some suspicious activity on her account.  To verify her account, she must reply to this SMS with the code that was sent previously to her.  Gullible Alice obeys.  Mallory has now the code that the service provider requests to reset Alice password.  Mallory gains entire access to Alice’s account with the involuntary help of Alice.

This type of attack can be used on most web services, e.g., webmails like gmail.  Obviously, Alice should not have replied to this SMS.  She should have followed the known procedure and not an unknown one.  She may have been cautious that the two phone numbers were different.

This is a perfect example of social engineering.   The only answer is education.  Therefore, spread this information around you,  The more people are aware, the less they will be prone to be hacked.  Never forget Law 6: You are the weakest link.

Cloud services as Command and Control

Cloud services are increasing the surface of attack of corporate networks.   For instance, we  associate usually to file sharing services the risk of leak of confidential information.  This is a real threat.  These services may also present another more lethal threat: become Command and Control channels (C&C).   C&C is used by botnets or Trojans to communicate with the infected machines.

At Black Hat 2013, Jake Williams presented DropSmack: a C&C tool dedicated to dropbox.  In his paper, he explains the genesis of this tool.  It is a well documented story of an advanced penetration test (worthwhile to read, if you’re not familiar with these tests).  The interesting part of the story is that he succeeded to infect an employee’s home computer.   The employee used this home computer to work on corporate documents using his dropbox account.  Thus, any modification or new file in the dropbox folder was synchronized to the cloud based folder and then synchronized to the company’s computer.   If the attacker succeeds to implement a malware on the home network folder, it will appear and infect the corporate computer.

Thus, using DropSmack, he was able to implement a C&C using dropbox as channel.  What is interesting is that it flies below the radar of firewall, IDS or DLP because the synchronized files are encrypted!  Furthermore, the likelihood that Dropbox is whitelisted is high.  Furthermore, following the statictics presented in my last post, the likelihood that one of your employees is already using Dropbox, even without the blessing of IT department, is extremely high.

Last month, Trendmicro detected a Remote Access Tool using Dropbox as C&C!  It was used to target Taiwanese government agency.

 

A few lessons:

  • When a researcher presents an attack, it does not take long to appear in the wild.  Never downplay a disclosed attack.
  • Cloud brings new threats and we are just seeing the tip of the iceberg.  Worst to come.

 

PS: the same attack may be used on any file sharing service.  Dropbox as used due to its popularity and not because it is vulnerable.   The vulnerability resides in the concept of (uncontrolled) file sharing.

Social engineering and catastrophes

Recently, I visited a security company. They presented their new impressive Security Operational Centers. The security analysts had a continuous update of the sanity of their networks, the most prominent threats and the a wealth of other useful security indicators on three huge displays. In the bottom right corner, info channels, as well as selected tweets were continuously updated. They explained that it was key to be aware of breaking news as they may impact the threat environment.

They are right. A good social engineer may use the current breaking news and the morbid curiosity of users. With the advent of social networks and its vector to disseminate latest news, news have been common tools of attacks. For a few years, every major catastrophe has seen mushrooming spams and fake sites pretending to collect charities for the victims of the catastrophe. In 2014, it even started to become a vector for Advanced Persistent Threat (APT).

On 2014 March 8, Malaysian authorities announced that they had no news of the flight MH370 to Beijing. It took several weeks before having confirmation that this flight crashed in the sea. Meanwhile, this topic was used for spying political instances. Two days later, members of a government of the Asian Pacific region received a spear phished mail with an attachment titled “Malaysian Airlines MH370.doc”. Of course, this document was empty but contained a Poison Ivy malware]. It was sent by Admin@338″: a Chinese hacking group. The same attacking group sent on 2014 March 14, a different spear-phished email to a US think tank with an attachment titled “Malaysian Airlines MH370 5m Video.exe”. Once more, the attachment was a malware.

Many other malwares used the same catastrophe without being part of an APT, but rather generic random attacks. Some phishing sites, mimicking Facebook look, were used to collect data from spoiled users. The sites supposedly presented a video of the supposed discovery of the missed plan. Before viewing the video, the site proposed the users to share the video with their friends. After the site asked the users to answer some questions such as age. In other words, the phishing sites scammed the curious tricked users.

This trend exists since a few year and uses every widely covered catastrophe. Thus be aware, charity may be a threat vector.

Favor helps

If you do favor to one person, will this person more likely comply to your request? Dennis Regan studied this question in 1971. The purpose was to validate:

  • Subject is more likely to respond your request favorably if he likes you
  • Subject is more likely to answer your request favorably if you just did him a favor

The experiment is complex.  As usually, it uses a confederate.   In a first phase, the confederates manipulates liking: becoming either pleasant or unpleasant (depending the way he answers a phone call).  Then, they have to participate to a common experiment.   Then, the confederate manipulates favor.  For positive favor, he offers a soda to the subject.  For no favor, he does not offer a soda.   For irrelevant favor, another person offers a soda both to the confederate and to the subject.

Then the experiment measures the compliance to a request.  Thus, the confederate proposes the subject to purchase some cheap raffle tickets.  The amount of purchased ticket is the metric.

The experiment measures also the liking by asking, among many other questions, to rate how the subject felt toward the confederate.

Following are the average purchased raffle tickets depending on the experimental conditions

  Favor Irrelevant Favor No Favor
Pleasant confederate 1.91 1.50 0.80
Unpleasant confederate 1.60 1.00 0.80

The experiment shows that a favor increases the likelihood to comply with a request.  It seems that the Reciprocity principle applies here.  The normative pressure to return the favor is stronger than the attitude.

Of course, good social engineers use this trick.

D.T. Regan, “Effects of a favor and liking on compliance,” Journal of Experimental Social Psychology, vol. 7, Nov. 1971, pp. 627–639.

Security Newsletter 22 is available

The  Security Newsletter 22 is available. We are proud to have as guest Joan DAEMEN. Joan is one of the authors of KECCAK, the new algorithm selected by NIST to become the new official SHA-3 function. Mohamed is presenting this new hash function. SSL is the most deployed security protocol on the Internet, thus it is highly scrutinized by the community. Olivier, Christoph and Benoit have a deep dive into the latest attacks against SSL.

Hoping that you will enjoy its reading. Do not hesitate to comment.