Don't let InfoSec Fatigue Infect Best Practices

We live in such a wonderful era. The technology is growing in complexity exponentially. Moore’s Law seems to be expanding rapidly in its application. Social media reports the news within 15 minutes when a generation ago, this may have taken a day or more to publish.

With the good however comes the bad. Although we receive the information so quickly, people have become numb to this at certain levels. One of these areas is InfoSec. There are a mountain of new articles to read hourly. These abound on the various topics with new and updated programs, new mobile apps to make our lives easier, new security breaches with data exfiltrated (credit card numbers, social security numbers, addresses, medical records, biometric information, pictures, etc.), and vulnerabilities for new and older equipment, both. The PII, PHI, EMR, EHR, and other private, confidential data, when successfully exfiltrated, are sold multiple times across the dark web until these are no longer of marketable use.

The affected persons then have the opportunity to monitor their personal credit for at least the next few years. The allegedly negligent corporation that allowed this may provide a 90 day or year of free credit monitoring. This may seem a pleasant apology, however is the totality of the issue, this truly is worth very little.

All of the news agencies continually talking about old exposures, new vulnerabilities and breaches, and other buzz-worthy posts leave people numb. Being constantly wary of everything from the computer age builds fatigue and a level of increasing apathy. People have just given up in certain instances. They just don’t want to deal with this anymore. This callous for the risks from computing has thickened from this. This may lead to the users exhibiting more risky behaviors with their computers, such as visiting unknown websites and not updating their AV as quickly as they should.

Recent Breaches

This has led to several significant breaches over the last few years. In 2017, we had the Equifax breach with over half of the US population potentially having their sensitive, confidential information for sale and use of unauthorized parties. There were also 150M UK citizens with the same issue due to this. There were also several hospitals affected by ransomware and data being exfiltrated. Several universities in the US and Canada have had multiple compromises, affecting their operations and students. In 2016, JPMorganChase was breached, affecting 76M households and 7M businesses. In 2014, there were a myriad of breaches to choose from. These included Target, Nieman Marcus, Michael’s, PF Chang’s, Albertsons, Home Depot, LinkedIn, Yahoo, and too many others to note.

What to do?

As these continue to build, growing larger in the number of files being compromised, and more companies being attacked, the fatigue will grow. To reduce this detrimental trend, there needs to be a renewed focus on implementing InfoSec best practices, not practices that suit what we want it to. The best practices should mold the InfoSec program, in comparison to the trying, in vain, to make best practices fit within our self-constructed, parameters.

Nvidia Chip's Issue

The Nintendo Switch is a popular console across the nation used by many. One piece in this equipment is a Nvidia chip. Unfortunately, researchers have noted a vulnerability with this chip. This was found by Kate Temkin and an engineer known as Hedgeberg. For two researchers working alone, this may have been an unnerving task. They participated however in the Nintendo Switch Hacking Project (Reswitched). The researchers titled this Fuse`e Gelee`.

As this is a published issue, the researchers did have to release the PoC exploit. The researcher was completely responsible and disclosed the issue to Nintendo and other vendors using this chip in March 2018. The researchers promised not to disclose this until June 15th. There was a third party however that also found the vulnerability and was going to disclose it. The researchers thought holding this until the promised date would be problematic, as the other researchers were going to publish this, and released this early.

Target

This affects a limited scope of the chips, and not their entire product line. This has been noted to affect the Tegra chips prior to the T186/X2 sold prior to 2016. This chip is predominantly used in the Switch, along with other products. Although this is not used in every product, where it is used, the equipment is potentially at risk.

Exploit

This vulnerability has been open for most of a decade. The Fuse`e Gelee` exploit is focussed on the Nvidia Tegra chipset. When properly executed, this allows for custom code to be placed on the “locked down” devices. This, in short, is a cold boot attack with the Switch game console while in the Tegra Recovery Mode (RCM). This exploit is due to an unpatchable oversight in the boot ROM.

Operation

In summary, this works via a vulnerability with the Switch’s start-up process. The vulnerability is at the silicon level. During the start-up the Switch chip is taken over and directed to execute unauthorized software. This is used to unlock the Switch, so potentially unauthorized software and code may be run.  

This is not a wireless attack. The attacker has to have access to the equipment prior to it powering up. Specifically, this affects the USB software stack in the Tegra boot ROM. This calls a memory copy function with a lengthy parameter, which is defined by the attacker. This allows the processor’s execution stack to be overwritten with the oversized copy operation. The device is pwned and the attacker is able to direct the processor to execute any chosen code. The coded USB control request leverages the vulnerability by the attacker copying his/her code onto the active execution stack, adding to or replacing the legitimate code. The attacker controls the Boot and Power Management Processor (BPMP) prior to any lock-outs or reduction in privileges occur.

As noted, the attacker to successfully execute the attack needs to have physical access. For this to work, the device has be pushed into the USB recovery mode, with shorting a pin in the right hand JoyCon connector.

Remediation

This attack itself is not easy for an unauthorized, third party attacker. This is also not an easy or quick fix for Nvidia. The fix will require the hardware to be re-engineered. This drastic step is required due to the chip’s design.

At the factory, the boot ROM is able to accept minor updates. Once the chip leaves the factory, it is not able to be updated. Thus, once the chip and equipment leaves the factory, it is in a vulnerable state. The issue is permanently part of the chip and may not be remediated.

In closing…

This is a rather serious issue. The successful attack allows full control of the processes, if the attacker were to choose. This however is a limited attack, as it requires physical access.

Resources

Claburn, T. (2018, April 23). I got 99 secure devices but a nintendo switch ain’t one: If you’re using nvidia’s tegra boot ROM I feel bad for you, son. Retrieved from http://www.theregister.co.uk/2018/04/23/nintendo_switch_nvidia_tegra_boot_rom_flaw/

Moore-Colyer, R. (2018, April 24). Nvidia tegra x1 flaw allows all nintendo switch consoles to be hacked. Retrieved from https://www.theinquirer.net/inquirer/news/3030823/nvidias-tegra-x1-flaw-allows-all-nintendo-switch-consoles-to-be-hacked

Orland, K. (2018, April 25). Behind the scenes with the hackers who unlocked the nintendo switch. Retrieved from https://arstechnica.com/gaming/2018/04/behind-the-scenes-with-the-hackers-who-unlocked-the-nintendo-switch/

Your user's heartbeat used for authentication

There has and always will be data of a sensitive and confidential nature throughout the business. This has and will continue to take different forms, including payroll data, intellectual property, credit card information, and other data not generally in the public’s view. To gain access to this, people will continue to need to be authenticated and validated. This acts as the gatekeeper for access to this.

This appears to be a simple enough use of the function. This is, however, complicated by the vast amount of confidential and sensitive data being created daily. This increase is due to the number of businesses operating, but also the increase in data deemed as confidential. There are new state and federal regulations and statutes requiring this data to be secured. To not secure this may incur fines and other legal issues, which would be a detriment to the business.

To secure this requires time, effort, and energy. The resulting tool to accomplish this task needs to be useful. The chosen tool has to be workable within the environment to complete the authentication process. There may be a tool available with a false positive rate of 0.00000005%, however, if it overly security focussed and not workable with the staff, the implementation will be an issue. This leads to the second point of this needs to be simple. If the tool is well overly complicated to put into place and use, there would be the opportunity for the implementation to break-down. The last point is the solution needs to be cost-effective. If the solution, while perfect, is overly priced, senior management is not likely to approve this.

ECG

One of the options for this issue is using a person’s electrocardiograph (ECG). This could be used to encrypt and decrypt data. The ECG functions to measure the user’s heart electrical activity and would be used as the key, and also as a password.

This is a bit of a usual but provides a viable option. The person’s ECG is a well-known measurement. The ECG is widely used and measured in the medical setting. This test is not new to the medical establishment or industry. This is generally used to analyze the person’s health status. The measurements are read by medical professionals to gauge the patient’s health. The cost for this is not significant. These tests are widely done across the planet and are easily done by the respective personnel. This measurement has been proven to be a stable recording for each person.

Benefits

As noted, this is a stable measurement for the person. With this solution, there are fewer computational resources used. As these tests are completed so frequently, the ECG itself has been relegated to a simple process that is easily done.

The encryption and decryption functions, while theoretically not overly taxing, may produce a lag time the users initially would notice. There are the home computers and servers however that are well capable of completing the desk.

This also simplifies the process in that there are no passwords for the user to forget, the IT Help Desk does not have to reset these, and there is the ease of use for the user.

Issues

This does appear to be the near-perfect scenario. The user simply has to show up and be living to decrypt data and other functions associated with security. Although this is viable from the initial review, there are still issues to resolve.

The ECG is a stable measurement. The issue is not with the tool recording the measurement. The potential issue is the source of the measurement. The user, as a person, may not exhibit a stable heartbeat over time. There are changes over the long-term due to the person’s age, any illness affecting their cardiac system, or injury. In the short term, the user may drink, for example, too much caffeine, which may affect their heart.

Also, in the case where the patient passes on, there would be rather immediate issues for the business. The sensors could not be placed on the body and hope to retrieve the data. The data is encrypted. Based on the protocol used, this could be encrypted for several lifetimes worth of guessing what the key is (brute force attack).  

Also, attackers are looking to exfiltrate data to be sold on the dark web. One of these data sets may be the ECG, which is used as the key. The primary issue with this is the user is not able to alter, modify, or update their heart or the readings recorded from this organ as it naturally works. A password is able to be changed, which makes this option a bit more flexible. This has happened in the near past with certain government agencies, as the agencies were compromised. The government employee’s fingerprints and other biometric measures were liberated. Imagine you being the government employee, and receiving the letter or email expressing the apology that your biometric data, e.g. fingerprint, had been compromised. As this is sold as part of a batch several times across the globe, the potential for significant issues increases significantly.

In closing…

The enterprise is always looking for better methods to encrypt data in order to protect it. The need for this security is weighed against the user’s need for ease of use and flexibility. In the present environment, having a static view on this point is problematic at best. One method to resolve the issue is utilizing biometrics for the key for encryption. This is a great idea, however, there are issues involved with this. In time, possibly this will change.

Resources

Binghamton University. (2017). Heartbeat could be used as password to access electronic health records: Researchers use heart’s electrical pattern as encryption key for electronic records. Retrieved from www.sciencedaily.com/released/2017/01/170118125240.htm

Cimpanu, C. (2017, January 22). Your heartbeat as a password-Smart or stupid. Retrieved from https://www.bleepingcomputer.com/news/security/your-heartbeat-as-a-password-smart-or-stupid/

Connectivity

Most items the public comes in contact with are connected in some form or another. This could be one of the myriad of IoT devices (e.g. lightbulbs, doorbells, garage doors, door locks, etc.), vehicles, or items worked with daily. These items are connected not simply to show this can be done, but to improve the user’s life with simplicity and automation.

One such application is with traffic lights. Beginning in 2016, the U.S. Department of Transportation started to test traffic lights connecting wirelessly with the proximate vehicles. The vehicles would transmit their location as they would approach the light. The light would then process the data within its algorithm to maximize traffic flow and to the user experience. For the driver the time spent at the stoplights would be minimized, as the connected car may, given the optimal situations, not need to stop at the lights.

Although this appears to be utopian, there are potential issues. Researchers at the University of Michigan found the DOT’s  I-SIG (Intelligent traffic signal system) was vulnerable to spoofed messages and data (https://nakedsecurity.sophos.com/2018/03/08/smart-traffic-lights-cause-jams-when-fed-spoofed-data/).  This vulnerability may be exploited by a single vehicle, and would not require multiple vehicles all targeting the smart stoplight, analous DDoS.

The attack was not perpetrated in the wild, but was demonstrated as a proof-of-concept. This was shown to be effective on the physical street, and not merely in the lab.

Notwithstanding the vulnerability, the system worked and worked well. The actual system tests were completed at intersections located in Anthem, Arizona, and Palo Alto, CA. The new system was able to decrease vehicle delays by 26.6%. With the spoofed data, however the situation changes with a car’s trip 22% of the time, which should take approximately 30 seconds would take over seven minutes. This would occur with one vehicle attacking the smart.

This is still an emerging technology not widely in use. As the cybersecurity is applied to the newer technology as it is designed, engineered, and deployed, there will continue to be issues like this that would be addressed.

Yet another restaurant targeted

The attackers are spending a predominant amount of their time looking for new targets and completing recon on these, in order to facilitate a successful attack on the chosen target(s).

A familiar target has been the restaurant industry. Their focus historically has been to cook and serve the clientele the dishes which were ordered. The focus is not on networking, InfoSec, or other computer issues, until a piece of the computer equipment breaks.

The usual assets targeted for exfiltration at the individual restaurants are the PoS systems, processing the credit card information. This data could be sold on the dark web after being bundled with many other credit card numbers, expiration dates, and other data.

An attack, however from a different vector, occurred recently with the Mise En Place Restaurant Services, Inc. Instead of the general attack, this attack compromised the system and implemented ransomware. This unfortunate set of events was noted on March 15, 2018, when a portion of the network was a victim of the ransomware. The attackers had unauthorized access from approximately March 6th to March 15th, when this was noted.

As the servers were accessed, there is the potential for the data to have been exfiltrated. This may have included the client’s full legal name; social security number or federal identification number; passport, driver’s license, or resident card number; bank account number and the bank’s routing number; login credentials for the bank account; and other client and individual data processed by the Mise En Place Restaurant. This “may” have been exfiltrated due to a lack of direct proof this was stolen. Nonetheless, to be conservative, the restaurant notified the potentially involved parties.

In response to this, the restaurant hired a third party firm specializing in IT forensics to investigate the compromise. The firm also changed all the network passwords.

Although not expressly detailed, the network was compromised and data probably exfiltrated through various means. Without knowing the attacker’s methodology, there are still several standard methods to guard against this. An effective patch management program assists greatly with maintaining a secure foundation. An associated set of tools also would be quarterly vulnerability assessments and an annual PenTest.

MinerEye: A New InfoSec Tool with a Twist of AI

With regularity, new InfoSec tools are presented for the market to try and see if there is applicable use. A portion of these are open-source, others are freemium (free for the basic tool with an upcharge for the entirety of the functions), and others are for sale at the regular and commercial price. The need for these tools historically have been user-driven and while powerful, still have been applied much like any other tool, mindlessly completing the tasks directed to do so by the human.

MinerEye Data Tracker, a MinerEye product (@MinereyeLTD), was coded to manage a company’s data through identification, the organization of this data, tracking the data and flows, along with protecting the data in a continuous manner. The data may not have had the attention to it, due to this being in a non-structured form, and its attributes and uses not fully known or expressed. This is a short yet rather extensive list and could be completed on some level, although not as well, by a human. This security app, however, is a bit different in that this implements AI to accomplish the monitoring, analysis, and reporting. The app is fully capable of completing these in an efficient and proficient manner.


Other apps look to the data’s attributes to describe it, using these to monitor and track the data.

MinerEye takes this to a much deeper level and analyzes the data in its basic form, unlike the other apps. This is used to put the data into individual groups, which had not been previously done. These groups may focus, dependent on the situation, the business data for controls, client complaints, log activities, and other data groupings. This advanced view of the data incorporates a new framework to not only view the data in its place but also in transit as it is used.

Medical offices are actively targeted

Medical offices continue to be targeted by attackers. A few of the reasons include the lack of
InfoSec being applied and the valuable medical records (EHR and EMR), which can be sold
or used for their own deviant based benefits.

An unfortunate incident occurred with the Virtua Medical Group, P.A. This is a physician’s group
with over 50 medical and surgical practices. Due to a breach, they have the “opportunity” to pay
$417,816 as a settlement. There were allegations of a failure to properly protect the data of
1,650 patient’s records. These records were online due to a misconfigured server.

The doctors and medical practitioners are, at the end of the day, responsible for the data and
records. The medical records were still the medical group’s responsibility to secure. The issue
originated when the vendor misconfigured the web server unintentionally. This issue allowed
access without a password, allowing the unauthorized parties to access and download the
patient’s data.

With any new modification or change, the party requesting the change should go through the
approval standard operating procedure for the change. Any forms that need to be completed,
should be approved and applied to each request. This would provide an adequate audit trail
and also provide for the other parties to verify the work and audit the work that had been done
and done correctly.