Why go to the trouble of hacking if you can find an easier method? Why not just pay mobile phone company employees to simply give you the codes that can unlock users’ unique SIM cards? That is what, apparently, has been happening for the last five years in France. The outside crooks paid the inside crooks €3 for each code, and then sold them on to hackers for €30.
The first thing you have to ask is how can this possibly happen in 2010? Security professionals have been shouting for years that the insider is as big a threat as the outside hacker. And we have solutions.
A database activity monitoring system that looks at the rate at which data is taken out of the database would have detected this problem but it is not enough to have a simple monitoring solution because the access to the database is usually through an application so you need to be able to maintain end to end visibility through all the different tiers. The system should alert on any abnormal amount of data retrieved from the database and also apply geo-location analysis and alert on an illogical access to database by a user who should not be accessing the data so many times or retrieving a large number of details in a single session.
Amichai Shulman, CTO, Imperva
OK – it shouldn’t have happened. But it did; so there are other questions we need to consider. Mobile phones are increasingly used as authentication devices for mobile banking. Just how serious can this get? I spoke to Jonas Thulin, VP of Sales Engineering at FireID, for his views.
FireID uses mobile phones to provide two factor authentication to banks, and I asked if the code theft was a worry. “Not for us,” he told me. “It doesn’t affect our customers at all, because we don’t link our application to the SIM card on the phone. To generate the one-time password, we have a shared secret, a seed number, that we store on the phone. This gets encrypted by a PIN number that the user configures when he installs the application. Basically, there simply isn’t enough information on the phone to successfully decrypt the PIN code in order to steal OTPs.
“However, where these thefts can cause problems,” he added, “is where the 2FA isn’t really 2FA at all – but more properly it uses the second factor as an alternative rather than an addition to the first factor. A good example is Google’s new 2FA for Google Apps where the authenticating code is sent to the handset as an SMS message. More worryingly, a lot of banks also still do this. Where this happens, hackers with access to the stolen SIM codes can also get access to bank access codes.”
In short, where the mobile phone authentication mechanism is genuinely two factors, such as that supplied by FireID, you’ll be OK just so long as the bad guys don’t get hold of both the SIM details and your PIN code. But if your bank simply sends you a text password – then you should be concerned. The moral is that genuine two factor authentication works; pseudo two factor authentication falls short.
Elcomsoft, a Russian cryptanalysis company, has a history of upsetting the West. Way back in 2001, Dmitry Sklyarov, an Elcomsoft programmer, was arrested in the USA after presenting at DEF CON. He had developed a product, The Advanced eBook Processor, that would decrypt encrypted Adobe e-books. He had not broken any US laws while in the USA, nor was his product illegal in Russia. But it certainly upset Adobe and other western publishers at the time.
Today we have a new Elcomsoft product: the Elcomsoft Wireless Security Auditor, complete with WPA2 brute force password cracking. And they’re still upsetting people. Idappcom’s CTO, Roger Haywood, has commented:
…the reality is that the software can brute force crack as many as 103,000 WiFi passwords per second – which equates to more than six million passwords a minute – on an HD5390 graphics card-equipped PC. Furthermore, if you extrapolate these figures to a multi-processor, multiple graphics card system, it can be seen that this significantly reduces the time take to crack a company WiFi network to the point where a dedicated hacker could compromise a corporate wireless network.
Our observations at Idappcom is that this is another irresponsible and unethical release from a Russian-based company that has clearly produced a `thinly disguised’ wireless network hacking tool with the deliberate intention of brute force hacking wireless networks.
The solution is clearly and intentionally priced within the grasp of any hacker or individual intent on malicious wireless attacks. Assuming you have no password and access control recovery system, if you do forget the password to a wireless network that you own, how difficult do you think it is to walk over to the device and press the reset button? In most situations resetting a wireless device, restoring a configuration and setting a new password is a process that can be achieved in minutes.
This is an absolutely valid viewpoint. But I’d like to suggest an alternative view. Was Adobe’s encryption weak in 2001 because of Dmitry Sklyarov; or did/could Dmitry Sklyarov produce his software because Adobe’s encryption was weak? Adobe’s security is far stronger today. Is that partly because of Elcomsoft?
And now, does the Elcomsoft EWSA product create insecure networks, or merely demonstrate that those networks are already insecure? One thing we can be sure of; the security of those WiFi networks will now have to improve. Is that a bad thing?
There is a similarity here with the full disclosure debate. And I suspect that people will take similar sides. You may have guessed that, on balance, I believe that security is improved by full disclosure; and by companies like Elcomsoft. Those who believe that full disclosure is irresponsible disclosure will probably believe that Elcomsoft is irresponsible.
And never the twain shall meet.
This year’s computing buzzword is probably ‘consumerisation’. It is used to describe the growing influence of staff in the choice and use of corporate computing devices – and one effect of this consumerisation is that the demarcation lines between corporate and personal use are at best blurred and more likely non-existent.
Nigel Hawthorn, VP EMEA marketing at Blue Coat, believes this growing consumerisation may have another effect – a strain on corporate network bandwidths. Hawthorn has a history of predicting the unexpected. Back at the beginning of the summer, he suggested that some company networks would be overwhelmed by their own staff watching the World Cup live on company bandwidth (FIFA World Cup: the world’s biggest ever DoS?). He was confident enough to declare that if wrong, he’d eat his shirt; and he did not have to eat his shirt.
Now he points out that the latest version of the BBC’s iPlayer, coupled with consumerisation, has the potential to place a growing and sustained strain on UK bandwidths. “The iPlayer’s new version has some great new features on it,” he told me. “and there are two that are particularly important from a network manager’s point of view. Firstly, iPlayer can now support HD. What’s that – 3.2 Mb per second; where it’s just 1.6 for non-HD? And secondly, and probably more insidiously because users might not realise what they are doing, you can now set a particular programme or set of programmes as one of your favourites, and say that you want your PC to automatically download each new episode as soon as it is broadcast. So the PC sits there, boots up in the morning, and because the user has at some time in the past said ‘I love Eastenders’, it downloads last night’s Eastenders to the PC, even if that user never goes back and watches it.”
Network managers would do well to think about this. Consider the temptation on staff. Fewer people are seeing much difference between company computing and home computing. They check and respond to their company email at home on their own bandwidth; why shouldn’t they be just as relaxed at work with the company bandwidth? So what is wrong with downloading last night’s television to watch while having a sandwich lunch at your desk? Or to have something to watch on your laptop during the hour-long train commute home?
Then do the math. If just ten members of staff have got the iPlayer app on their PCs and have set it to download one or more favourites, that could be something like 15Gb of non work-related downloads, probably in one go when people boot up their PCs in the morning. And if those people haven’t downloaded, but all decide to watch streaming programmes during the same lunch-break, we’re talking about something like 32Mb/sec. Could your network cope?
The consumerisation of computing is just beginning. The use of the internet as the source of all video entertainment is growing. So the demand on company bandwidth from non work-related staff downloads is likely to grow exponentially over the next couple of years. This means that it will be essential to develop ‘acceptable use policies’ that are in themselves acceptable and yet enforceable. This will require a clear view into the use of your networks, and strong control over that use. And that requires the products of companies like Blue Coat.