In Development

Receive Invite When Available

The Great Crypto Diversion After Terror Attacks, Politicians Remain Quick to Scapegoat Technology Firms Mathew J. Schwartz (euroinfosec) • March 29, 2017     Photo: lyudagreen (Flickr/CC)

Déjà vu crypto debate.

See Also: 2017 Predictions on Data Security: Insights on Important Trends in Security for the Banking Industry

One year after "Apple vs. FBI," British Home Secretary Amber Rudd this past weekend slammed Silicon Valley social networking firms, saying that law enforcement agencies and intelligence services cannot properly investigate criminal behavior when faced with communications that are protected via end-to-end encryption.

"We need to make sure that organizations like WhatsApp - and there are plenty of others like that - don't provide a secret place for terrorists to communicate with each other," Rudd told the BBC's Andrew Marr on March 26.

Rudd is the latest in a long line of politicians who have been accused of using recent tragedies to push for weak encryption (see Cybersecurity, Crypto and the Politics of Blame).

In this case, on March 22, British national Khalid Masood, 52, launched an attack involving a rental car and a knife that lasted just 82 seconds before he was killed by a firearms officer. He killed four other people in the attack, and left 50 more people injured, some catastrophically.

The government has shared no evidence suggesting that Masood was radicalized online or that he used encrypted communications services.

The Appeal to Smart Technologists

On-demand access to end-to-end encrypted communications - the magical crypto backdoor - is the political and law enforcement dream that just won't quit.

Matthew Ryder, an attorney at law firm Matrix Chambers in London, says the recurring push for backdoored crypto most resembles "Groundhog Day," referring to the film in which Bill Murray finds himself caught in a time loop, repeating the same day over and over again.

Difficult to follow argument that attack by terrorist already on security radar, acting alone, supports need for new anti-encryption powers.

One well-worn trope in the debate gets regularly aired by FBI Director James Comey, who suggests that smart technologists can solve this problem - if only they would try.

Europe continues to debate this matter, too, with some governments calling for the EU to pass laws that would mandate the use of weak crypto. But Andrus Ansip, the EU's technology policy chief and the former Estonian prime minster, last year warned that there's no "black and white" answer to the problem, and that some supposed solutions might in fact cause more problems. "Sooner or later if we have backdoors, somebody will misuse these backdoors," he said.

Two Choices: Strong or Weak

In other words, crypto is either strong or weak. There's no magic exception for the good guys.

"I can't build an access technology that only works with proper legal authorization, or only for people with a particular citizenship or the proper morality," writes security expert Bruce Schneier, CTO of IBM's Resilient. "The technology just doesn't work that way. If a backdoor exists, then anyone can exploit it."

Rudd, however, claims she isn't trying to outlaw encrypted communications. "End-to-end encryption has a place," she told Sky's Sophy Ridge on March 26. "Cybersecurity is really important and getting it wrong costs the economy and costs people money, so I support end-to-end encryption."

Front Doors, Backdoors and Magic Hashtags

But she joins a long line of politicians who, to put it charitably, oftentimes appear to not know what they're talking about when it comes to encryption, or the fact that Britain's controversial Investigatory Powers Act, passed last year, gives her government the backdoor powers she's demanding.

Former Prime Minister David Cameron, for example, argued that he didn't want a backdoor for crypto, but rather a front door. "We're not asking for backdoors; we believe in very clear" - always a red-flag term - "front doors through legal process that should help to keep our countries safe," Cameron said in January 2015.

Rudd has likewise demanded access to any communications - even encrypted - with a warrant. She also used her television appearances to slam social networks for failing to prevent the spread of extremist content online, implying - without proof - that this helped drive Masood 's attack.

Like Comey, Rudd thinks smart people "who understand the technology, who understand the necessary hashtags to stop this stuff even being put up" are key to blocking the spread of extremism online.

It's not clear what Rudd meant by "necessary hashtags."

The Brexit Elephant

The EU's law enforcement intelligence agency, Europol, has an EU Internet Referral Unit designed to combat online terrorist propaganda, disrupt extremist recruitment and coordinate related intelligence-gathering and law enforcement response.

After Britain withdraws from the EU, however, it's unclear if Britain will still be able to access EU services and agencies such as Europol.

British Prime Minister Theresa May says she will trigger the formal Brexit process on March 29, thus beginning at least two years of what many expect will be messy divorce proceedings, which has already triggered economic uncertainty, the potential for another Scottish referendum and other massive changes that could easily topple the current government.

Rudd, the home secretary, is in charge of internal affairs for England and Wales and for U.K. citizenship and immigration, which is a Brexit sticking point between the U.K. and the EU.

Just three days before the historic Brexit process begins, however, she takes to television to make a straw man out of crypto.

Coincidence?

Breach Notification , Data Breach

Data Breach Notifications: What's Optimal Timing? Answer: It Depends Mathew J. Schwartz (euroinfosec) • March 28, 2017     Extract from Coupa's March 15 breach-notification letter to victims.

Question: How quickly do organizations have to notify oversight agencies or affected consumers after they suffer a data breach?

See Also: Balancing Fraud Detection & the Consumer Banking Experience

Answer: It depends.

Under Europe's new General Data Protection Regulation, for example, any organization worldwide that suffers a breach that exposes Europeans' personal information must notify their "relevant supervisory authority" within 72 hours of discovering the breach, according to Britain's privacy watchdog, the Information Commissioner's Office. Failure to comply puts organizations at risk of being hit with massive fines.

"In light of the tight timescales for reporting a breach, it is important to have robust breach detection, investigation and internal reporting procedures in place," the ICO says.

But it's important to note that the notification deadline in the GDPR rules - now in effect, but not due to be enforced until May 2018 - relates to informing authorities. No rules, at least yet, specify how quickly affected Europeans must be notified.

In the United States, the Health Insurance Portability and Accountability Act requires covered entities to notify federal authorities and affected individuals within 60 days of discovering a breach that affects 500 or more individuals. By contrast, the banking sector's Gramm-Leach-Bliley Act requires financial firms to notify customers of a security incident "as soon as possible."

The Securities and Exchange Commission, meanwhile, says publicly traded U.S. companies must provide "timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision," including any breaches the company suffers.

State laws vary widely on breach notification. For example, New Mexico, the most recent state to pass a breach-notification law, will require organizations to issue notifications within 45 days of discovering a breach, if 1,000 or more of the state's residents are affected. In California - the first state to pass a breach-notification law back in 2002 - notifications must be issued for breaches that affect 500 or more state residents.

"In the case of California, the standard is to disclosure 'in the most expedient time possible and without unreasonable delay,'" Eva Casey Velasquez, president and CEO of Identity Theft Resource Center, a not-for-profit organization that assists data breach victims, tells me. "There is also language that speaks to the need for law enforcement to determine that the notification will not compromise an investigation."

Despite repeated attempts, Congress has yet to pass a federal breach notification law that could supplant the 48 state laws now in place.

Notification Timeframe: What's Ideal

Notwithstanding regulations and contractual obligations, optimal breach notification timing should be "not too soon, not too late," says cybersecurity attorney Mark Rasch, who in 1991 created the Computer Crime Unit at the U.S. Department of Justice.

"Too soon, you run the risk of inaccurate disclosure, and unnecessary panic. Too late, and the harm is already done," he says. "You disclose because there's something the victim can - and should - do to mitigate the harm." For example, in the United States that might include freezing one's credit reports, in the event that personally identifiable information has been exposed that could be used by identity thieves. Or the warning could give potentially affected consumers a heads-up to keep a close watch for fraud via their credit card statements.

Aim for 30 to 45 Days

Ideally, organizations will have planned well in advance for the moment they learn they've been breached. "All companies should have a data breach response program in place, practice it yearly, and be able to respond in around 30 to 45 days from discovering an issue or incident," says Chris Pierson, the CSO and general counsel for financial technology payment firm Viewpost.

He warns that rushing can be bad for all concerned, since an organization's legal and security teams need digital forensic investigators to specify to them who the breach affected and what was stolen before they can craft accurate notifications, enroll victims in identity theft monitoring, and so on.

"It is much more advisable to report a breach when the facts are known, the affected population determined, and the full resources of the company and vendors is in place," says Pierson, who also advises the Department of Homeland Security on data privacy and cybersecurity matters. "Failing to allow for this time to report can cause greater harm and worry to customers as the facts will change from day 10 to day 30."

Indeed, as breach investigations proceed - for example in the massive 2013 Target breach - investigators often find that the breach is much worse than they may have first suspected. Arguably, issuing changing and overlapping breach notifications leads to unnecessary "breach fatigue" for victims. "That only further confuses and complicates things for consumers, and it erodes trust for the business," ITRC's Velasquez says. "No one is better off in that scenario."

Good Move: Alert Authorities

Already, many organizations quickly alert authorities when they suspect that they've suffered a breach, even if not required to do so. And here's a hint: Doing so always looks good.

Cloud services firm Coupa, for example, suffered a breach on March 6 and notified victims in a letter dated March 15. In the letter, Coupa said that after detecting that it had fallen victim to the phishing scam, "we immediately contacted the Internet Crime Complaint Center [IC3], operated by the Federal Bureau of Investigation, and alerted the IRS of this scam" (see Silicon Valley Firm Coupa Hit by W-2 Fraudsters).

Many breached U.S. organizations find out they've been hacked thanks to a third party - often the FBI, who may discover the hack during its own investigations, or receive a related tipoff from private sector investigators.

According the 2017 M-Trends report from FireEye's Mandiant, 47 percent of breached organizations that the firm worked with last year learned they were breached thanks to being notified by an external party. On average, externally found breaches went undetected for 107 days, compared with 80 days for a breach that the organization discovered itself.

Once the breach gets discovered, organizations can begin investigating the intrusion, gain an accurate understanding of what happened, and finally alert any victims as to what happened and what they should do to protect themselves. "It's as important to get it right as it is to get it fast," Rasch says.

An analysis of British Home Secretary Amber Rudd's call, in response to last week's terrorist attack in London, for law enforcement and intelligence services to gain access to encrypted communications services, such as WhatsApp, leads the latest edition of the ISMG Security Report.

In the Security Report, you'll hear (click on player beneath image to listen):

The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Check out our March 21 and March 24 reports that respectively analyze FBI Director James Comey's revelation of a counterintelligence investigation of possible ties between Donald Trump's presidential campaign and the Russian government and how blockchain could be used to secure shared, cyberthreat information.

The next ISMG Security Report will be posted on Friday, March 31.

Theme music for the ISMG Security Report is by Ithaca Audio under the Creative Commons license.

Data Loss

Microsoft's Docs.com Leaks Personal Information Bad UI Design Combined with Inattentive Users = Inadvertent Breach Jeremy Kirk (jeremy_kirk) • March 28, 2017    

Microsoft's Docs.com file-sharing service has been an open window to viewing people's personal data. The company appears to have taken some steps to contain the exposure, but those watching closely say sensitive personal information can still be found via search engines.

See Also: Three and a Half Crimeware Trends to Watch in 2017

Docs.com is designed as an online repository that lets people to share their data easily with others. The site also has a search function to find files.

A U.K.-based researcher, Kevin Beaumont, began searching for sensitive terms and turned up a raft of worrying data, including password lists, bank account details, Social Security numbers.

He jokingly dubbed Docs.com as Dox.com, a reference to the practice of doxing, where hackers publish sensitive information online against the wishes of a victim.

"People clearly don't understand how the service works," he writes on Twitter.

I decided to design Microsoft https://t.co/lynwVAu1Ay a new logo, #doxs - this one includes bank accounts, sort codes, SWIFT details etc. pic.twitter.com/J5faiDYeEP

Poor UI Design

The data exposure isn't the result of a direct error by Microsoft. Rather, it would appear that some people aren't aware that documents uploaded to docs.com are made public by default. That's unlike other file uploading services that default to private access.

Docs.com displays a preview of a newly uploaded document. There's a left hand panel of controls that lets users add a description and author. But you have to scroll down to see a warning that the document will be public by default. The top third of the panel shows a save button that publishes the document to the web.

To keep the document off the public web, a user has to choose the "limited" option, which only allows those who have a direct link to the document to view it.

Cached Data

Since Beaumont began tweeting about the problems on March 24, it appears Microsoft has taken action. The company removed the search feature from docs.com for a while, but for some inexplicable reason, reintroduced it.

As such, it is still possible to find documents with information that it's plausible to assume users would not want exposed. Since the documents have been exposed to the internet, search engines may have cached some of the data. As of March 28, it was possible to use Google to do a site-specific search of docs.com and retrieve data whose owners probably don't realize is public.

Microsoft officials aren't getting into the details of how it is handling the leak. It does appear that some docs.com accounts with flagrant personal information have been flagged, as documents that show up in a Google search can't be rendered.

"As part of our commitment to protect customers, we're taking steps to help those who may have inadvertently published documents with sensitive information," Microsoft says in an email statement. "Customers can review and update their settings by logging into their account at www.docs.com."

Enforce the Safer Option

Microsoft may not be directly responsible for the data leakage, but it definitely made some horrendous design choices. Clearly, making documents public by default was a bad decision.

The security community knows well that lightly enforcing the safer option is always best. It's unreasonable to expect that users are going to carefully examine any UI interface and choose the safest option.

While the ultimate fault does rest with users here, Microsoft should have seen this coming.

CISO , Continuous Monitoring , Cybersecurity

Distributed Cybercrime - Attack the World How Business Model Innovation Has Changed the Game of Cybercrime Tal Sheffer • March 28, 2017    

Ransomware and banking Trojans dominate the cybercrime mainstream today, and their technical operations are heavily analyzed. But little attention has been given the business model which plays a large role in dictating their behavior, targets and tactics.

See Also: 2017 Predictions on Data Security: Insights on Important Trends in Security for the Banking Industry

A revolutionary concept in cybercrime is what I call "distributed cybercrime," a business model in which cybercriminals attack many victims in the same campaign. Like many other inventions now common in modern life, distributed cybercrime may seem trivial today. But this concept emerged little more than a decade ago and has already dominated the threat landscape.

Improved ROI and the support of a newly erected "dark industry" has made distributed cybercrime the hottest trend in cybercrime. Most of the professional cybercriminal groups today develop malware with a distributed business model, then use professional platforms, distribution services and infection experts to attack the world. They don't know who their victims are nor do they care. They're not looking to get points on style. They're just businessmen who built the perfect, automated money-making machine.

6 Reasons Why Cybercriminals Love the New Business Model

Beginning in 2006, innovations in malware, banking Trojans and ransomware created a new type of business model for cybercriminals: Rather than concentrating all their efforts on penetrating high-quality targets, they can steal small amounts of money from numerous victims.

The business model of distributed cybercrime has made some attackers multi-millionaires in a short amount of time due to its many business benefits:

Attacks require less effort as they target "low-hanging fruit" (i.e., individuals or organizations with sub-par security). Attack skill level is low compared to techniques such as spear-phishing - regular ol' phishing is good enough for weak targets. Highly coveted zero-day vulnerabilities are no longer required for profitable attacks - mainstream CVE vulnerabilities with known exploits and existing patches will do, as many victims don't patch regularly. Any standard endpoint is a potential source of revenue, making lateral movement toward the crown jewels irrelevant. When you attack the world, the sky is the limit - the amount of potential revenues is endless. Less effort and more profit means better ROI.

Mass Distribution, Victim Profiling and Outsourcing

The new business model presented new challenges for cybercriminals. If you want to become filthy rich through distributed cybercrime, you can't just attack 100 victims - you need to attack hundreds of thousands of victims. This drove professional cybercriminals to build mass-distribution platforms to spread their malware and automated-infection systems to exploit victims' machines and run the malware.

But quantity of traffic is not enough. Victims must fit a desirable profile. Cybercriminals want to avoid targeting low-income victims with ransomware as they're probably less able to pay the ransom, and the ransomware's language should match the victims' language to ensure instructions on purchasing bitcoin and paying the ransom are understood. Mass distribution experts and traffic dealers offer their shady customers this very type of targeted services.

In addition to victim-specific traffic, infection services are also up for sale (or more commonly, for rent). Rather than coming up with new or unique exploits, pre-packaged exploit kits are readily available to launch the attack of your choosing. These kits supply the distribution and traffic services mentioned above, use the best exploit available to infect victims' machines and, if successful, run the customer's malware. The exploit kit method essentially outsources distribution and infection to reliable, high-quality service providers at an affordable price.

Where Have All the Targeted Attackers Gone?

You may ask yourself: what happened to targeted attacks? The answer: absolutely nothing (and thank you for asking). In fact, targeted attacks today are easier than ever, as demonstrated by cyber attackers who do care about the identity of their victims (like nation-states). Targeted attacks did not disappear - they've only been eclipsed by the attractiveness of the ROI of distributed attacks. Only when the profitability of targeted attacks can compete with the distributed cybercrime business model will we see their rise to prevalence again.

There are initial signs that cybercriminals are testing targeted attacks with malware more commonly used for distributed attacks, as evidenced by recent ransomware attacks on high-quality targets such as hospitals and hotels. The problem comes back to ROI: While cybercriminals demanded up to $5 million ransom from one victim, the highest ransom paid by a single victim (as far as we know) was a meager $28,000.

The Next Big Thing

What's next for the innovative cybercriminal? My prediction: a hybrid business model with tailored ransom pricing. Imagine a mass-distribution platform doling out ransomware on a global scale that, when executed, will assess the victim's environment. If that environment is a consumer's machine, the calculated ransom will be relatively low; if it's an enterprise network, considerably higher; if it's critical infrastructure, astronomical.

Whatever the next big thing is in cybercrime, you can be sure it will be driven by ROI - nothing dictates the dark industry more than these three simple letters.