De-Coder’s Ring

Software doesn’t have to be hard

Category: cybersecurity (page 2 of 7)

Thoughts on Equifax – Tokenization

The past week’s news cycle has been covered by information regarding the Equifax breach.  There are rumors on how the breach happens, rumors and accusations (arm chair judge Judy and executioner) about improper stock sales, and a half million class action law suits.

(I exaggerate on numbers)

This post isn’t going to talk about breaches in general, it’s not going to talk about this breach from a technical standpoint… what I’m going to talk about is something different.

If your bank gets hacked, crap, that sucks.   If your doctor/insurance gets hacked, crap, that sucks.   They’ll sign you up for identity protection, and you’ll forget about it.

The interesting part about Equifax, is that you don’t have an account with them.  You’ve never interacted with Equifax, unless your credit score… but guess what?  That’s not the information that got stolen.

The data that got stolen, the super important data about your life, was given to them by other entities.  Your bank gave them your information.  Your credit card company gave them your information.  Did you know they did that?

You gave them permission to in your contract, but, did you realize you did? (Of course not, no one reads the fine print!)

Now that you’re ticked off because someone else shared your data, to someone who couldn’t protect it… what do you do?

Nothing.

That’s the way credit reporting and your credit score work.   For you to have a credit score, entities have to report to Equifax, Transunion and Experian.

What could have been done?   Tokenization.

There’s a concept in security, and more specifically secure data storage and transmission called tokenization.  Essentially, a developer trades a secret piece of data (SSN, account numbers, etc) and swaps it for a token.   The token can later be swapped back for the initial piece of data if necessary.  This is great inside a company, like a bank.  Instead of storing a SSN in a operational database, you store the token.  The only time you need the SSN could be printing paper that needs it, or filing a legal document.

There’s a challenge with tokenization for credit reporting.  Every bank needs to report someone like ME as the same person.    Bank A can’t have token 1234 for me, while Bank B reports me as ABCD.  They both need to report me as the same.   If Bank A and Bank B can both report on me as ABCD1234 then Equifax et al, don’t need to know my SSN.   The banks I have a relationship do.

How do we accomplish this?  That’s the big big challenge…   could be my next billion dollar idea… (yeah, I just gave it away, but, execution is 99% of the challenge)

 

Cybersecurity – The Value of Community Threat Data

I’ve written about community threat intelligence data before,  and I want to reiterate my stance now, after 14 months on the job at Perch Security (https://perchsecurity.com )

I have the pleasure of building out the network sensor and the infrastructure that processes all network traffic from each of our customer’s sensors.  It’s amazing how quickly we have been able to enable small community members (financial services, healthcare, mining, etc) to be able to detect on network intelligence that is highly targeted for their industry.

Prior to stepping in a small 7 person community credit union had a firewall.  When we came in, they could start detecting network threats, anomalies , etc.

This isn’t about Perch, and how Perch is awesome (although Perch is awesome), this is about the value of the intelligence.

When you’re evaluating a security tool, find out where the intel comes from… if the answer is “Our Honeypot”… run the other way

If the answer is “our threat intelligence analysts”, ask how it’s relevant to you.   Make sure the rules and the intelligence you’re detecting on is not lost in the noise.

Think about this one.  DHS AIS pushes out approximately 50k+ malicious IP addresses.   That’s a lot of things to look for.   Are they targeted? Are they critical to your industry?  I can answer that pretty solidly, nope.

Not DHS’ fault, but, half the intel they seem to produce is from honeypots.  Honeypots are stupid, and nearly the worst source of intelligence.  OMG! You found something scanning your public IP address..     ayup.   you’re going to.  Does that mean I have to take resources on my firewall or in my IDS signature space to cover that IP ?  Nope.   Scans (Recon) don’t always turn to attacks (Weaponization).

Look for things that you know are attacking your industry.

If you’re a water utility, look for SCADA

If you’re finances, look for Struts (too soon?), don’t waste time blocking Shodan (love Shodan though) scans.

Prioritize your community intelligence.

Prioritize behaviors , specifically around exploits (If you run a python shop, seeing a struts attempt doesn’t matter!)

Know your network.

 

 

Equifax – Post Breach – The New Normal

In light of the new HUGE data breach from Equifax, it’s time to consider a new normal, where we are all breached, and we have no secret information.

Essentially, with the loss of records pertaining to Personally Identifiable Information (PII) for half of all Americans, we have to ask:

“Can we continue to assume our private information is private?”

Historically, we’ve kept our SSN and credit/debit card numbers private.  We guard them, and hope no one finds them out, cause if they do, they can open credit accounts, mortgages, but furniture, etc in our names.  It’s identity theft.  Fraud.

What happens now that half of the people in the US are affected?

This may be freeing for normal folks like us.  No longer caring who sees our SSN or Credit Card numbers.   Heck, the bad guys have them already!

Banks, Lenders, etc are the ones that need to be concerned.  How can they reliably know that it’s ME signing up for a new bank account, or car loan.   How can they KNOW for sure that it’s not a bad actor in  <insert bad actor country here>.


A few scenarios I can think of:

Banks start to go nuts for validation.  Phone calls,  SSN, DOB, insane credit validation based on previous addresses, etc.   Not sure they’ll be enough.

The slow death of electronic only accounts?    Are we going to have to go to the bank for everything?  Open a new account, go to the bank. Apply for a new loan, go to the bank.

Is that enough?

Do we all need new IDs?    We keep our public identifier, like SSN, but, we all get a ‘private’ key that only we can use?  Yeah, that’ll get out too.


Security is hard.


What about a hardware token?  The federal gov’t gives us all a heavily encrypted RFID chip/implant.   There’s no way to duplicate/spoof it.  If every computer can guarantee the identity of the chip holder, then there’s no doubt the person applying for a credit line, is that same person.  Essentially a non-duplicatable digital signature that anyone can verify, but no one can mimic.  Is this technically possible?   Maybe.

Feasible?  Nope

 

Threat Hunting with Open Source Software

I’ve begun working on a new project, with a spiffy/catchy/snazzy name:
Threat Hunting: With Open Source Software, Suricata and Bro

I’ve planned out multiple chapters, from raw PCAP analysis, building with session reassembly, into full on network monitoring and hunting with Suricata and Elasticsearch.

This project will take a long time. While I work through it, I’ll be posting here regularly. I very much welcome feedback.

Here’s a little introduction video, but , more will come as I add videos.

The next video will be looking at how data is transmitted over a network… anyone ready for a super brief OSI Network model overview?

Older posts Newer posts

© 2017 De-Coder’s Ring

Theme by Anders NorenUp ↑