Showing posts with label Data Leaks. Show all posts
Showing posts with label Data Leaks. Show all posts

Monday, February 26, 2018

Why you should consider using 1Password

Using an online password manager has its advantages. Let's review them.

This is a very good week for 1Password users. AgileBits reports that they have integrated the 1Password online password manager with Troy Hunt's Have I Been Pwned? (HIBP) service. I mentioned Troy in this blog a couple times and I always point his blog and his HIBP service here and to people who are somehow interested in their security online.

Have I Been Pwned?

HIBP allows you to search from 500 million passwords collected from various data breaches. Checking your passwords against this list is crucial to keep your data safe. Apart from passwords, ut can also check if your email account, a website you use or a domain has been compromised in a data breach. And there's a lot of data there. We're talking about half a billion leaked passwords.

So, HIBP has my password. Does it mean I was hacked?

Not necessarily. If it's a common password, maybe it was being used by someone else. If it was a complex one, probably.

HIBP tells me my email address has leaked, was I hacked?

Also not necessarily. But unfortunately, it's highly probable that your email is already in the hands of spammers.

Is it safe? 

Well, if Troy with all his expertise in the field cannot be trusted, who else can? Also, AgileBits and lots of other people use his services. Don't see why we shouldn't. For more info, check this FAQ.

Are my passwords kept secret?

Yes. HIBP doesn't have access to your password. Here's what AgileBits reported:
First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy’s new service only requires the first five characters of the 40-character hash. To complete the process, the server sends back a list of leaked password hashes that start with those same five characters. 1Password then compares this list locally to see if it contains the full hash of your password. If there is a match then we know this password is known and should be changed.

If my passwords wasn't leaked, am I safe?

No. This is only a dataset of know breaches. Obviously there's way more circulating out there that neither Troy nor other researches have yet reported. Also, don't forget that a website you use may yet be exposed to a security breach meaning that your credentials can be leaked in the future. As a suggestion, keep returning to the site to make sure that your account hasn't leaked. You can also use the NotifyMe feature or even the RSS feed.

How does it work?

If you want to learn more, the video below shows how the feature works.

Benefit for 1Password users

This integration is immensely beneficial for 1Password users and I would be very happy to see more integration with HIBP. Basically because the service will notify you upfront that you're using a weak password.

Conclusion

This is a very welcome feature to 1Password and I sincerely hope that more websites integrate with that tool. I also urge you to start using that service or any tool that generates more secure password. In the meantime, let's all thank Troy for his awesome work, shall we?

References

See Also

For more posts about Security on this blog, please click here.


[Update June 16th, 2020]: Good news! Dropbox also released its password manager!

Monday, February 19, 2018

About the Freedom Mobile Hack

It seems that everyday some company is hacked (for the same reasons). Let's see why.
Mobile syrup reported in 2018 that an anonymous hacker posted a very detailed post on Freedom Mobile's subreddit about how they managed to access customer sensitive data on FreedomMobile.ca. While this wasn't confirmed, let's stop and evaluate certain aspects of the hack from different sources.

The Code

According to the report, the hacker mentioned it only took them 23 lines of code.. While anyone can guarantee this source is reliable, depending on how it was implemented, it indeed may have been possible to build a simple python script to perform username enumeration and password bruteforcing if the necessary prevention mechanism isn't in place.

The Login Widget

I inspected the code as soon as the news was out and collected some data. On Feb 15, 2018, the login screen just after the news offered that apart from username/password, we can also login using Phone number / PIN. If you were the hacker, which login you think would be easier to guess? A password (that can be anything) or a PIN composed of 4 numeric chars? 😉

Reviewing the Phone Number widget

I'm interested about this Phone number / PIN thing because PINs are usually simple and often are used to access your device from the phone. So, they should be numerical. Let's see what the source tells us:

From the screenshot we see that:
  • they're using Angular which has its flaws. Are they running the latest version?
  • some validations happen in the front-end (I hope they revalidate in the the web server);
  • that specific validation is done using Regex (pinRegEx).
  • the min/max length: 4 chars (see the red box on the right there);
  • the "PIN not valid" on the left shows up for non-numeric chars;

Estimating the Complexity

So, a mobile number and 4 numeric chars. How complex can that be?
  • mobile numbers are public.
  • PIN requires 4 numeric characters = 10 ^ 4 or 10,000 combinations

Brute Force

So, knowing your phone number, it takes the hacker, on the worst case, only 10,000 guesses. And it can get better. For example, if your pin were 1220 (Dec, 20) it would have taken me 10% of the time to guess your password.

Username Enumeration

The above has nothing of fancy, complex or undocumented. In fact, username enumeration and password bruteforcing are present in OWASP's CSRF Prevention guide and are part of OWASP's top 10 web application risks.

The hacker confirms it:
Source: https://mobilesyrup.com/2018/02/12/freedom-mobile-security-breach/

No brute force prevention

Sight. No brute force prevention. No account lockout? No MFA? No alerts. Probably not. Worse, the company ignores the issue, states the corporate jargon and returns the responsibility to users (as if a system based on 4 digit numeric PINs, no bruteforce or password enumeration prevention were secure enough):
“We continue to strongly encourage our customers to use unique PIN numbers that are not easy to guess, and to change their PINs frequently to best protect their personal account information. (...) meeting customer demands for a resonable login process.”

Shared Responsibility

Before we wrap up, there are two more things about this hack that are worth questioning:
  • who's responsible the decision to simplify the login by using the phone/PIN widget?
  • who's responsible for not preventing brute force without any lockout mechanism or alert on the login operation?
While I don't want to discuss who's responsible for what, I don't see the developers deciding how people should perform the login on the company's website. Certainly the ability to brute force such a crucial aspect of the application was missed or ignored by the business. It's definitely a shared responsibility.

Conclusion

So, even if we assume that the hack didn't happen, 10k combinations without any prevention against CSRF, username enumeration and/or password bruteforcing is not acceptable. Everyone loses when companies try to simplify security aspects for its users but do it wrong ignoring the most critical web application security risks. In time, if you haven't read yet, check OWASP's CSRF Prevention guide.

References

See Also

For more posts about Security on this blog, please click here.

Friday, September 8, 2017

Security and Ethics

Understand how reputation, security, ethics are important today and learn how they affect your security online.
Security is important. We also know that there is no such thing as absolute security. But can we do it better?

Of course. We can and should do our best to secure our applications, infrastructure, code, policies, etc - but in the end, security is just another technical requirement. A very important requirement that supports the reputation and the perception of a company. On this post, let's discuss reputation, security, ethics, why they matter, why they are important and how they affect online security on information technology.

Reputation

Reputation is a very important asset companies (and people) should pursue and work hard to keep because once lost, it's hard to gain it back. For example, a recent survey made by The Identity Theft Resource Center (ITRC) found out that 41 percent of surveyed people said they wouldn't do business with the breached company again.
With that said, let's discuss two LastPass and Log Me In before we can jump on insights on the latest Equifax hack.

The LastPass case

I was looking for information on password managers and found this interesting post on Troy Hunt's website describing why he decided to stop using LastPass after it was acquired by LogMeIn:
Then, on the blog post he said :
Companies like LastPass live and die by reputation and incidents like their breach in July that exposed master password hashes are hugely significant due to the impact it has on the perception of the company.

The Equifax case

Now, let's jump to Equifax. According to Wikipedia,
Equifax collects information on over 800 million individual consumers and more than 88 million businesses worldwide. Equifax has US$ 3.1 billion in annual revenue and 9,000 employees in 14 countries.
Not a small company, right? But what about the hack?
In September 2017, Equifax announced a cyber-security breach, which it claims to have occurred between mid-May and July 2017, where cybercriminals accessed approximately 143 million U.S. Equifax consumers' personal data, including their full names, Social Security numbers, birth dates, addresses, and, in some cases, driver license numbers.

Equifax also confirmed at least 209,000 consumers' credit card credentials were taken in the attack. The company claims to have discovered the evidence of cybercrime event on July 29, 2017. Residents in the United Kingdom and Canada were also impacted.
According to Bloomberg and ARS Technica (just to name a few) it's probably "one of the biggest hacks in history". Personally, I couldn't agree more with them. ARS Technica describes:
the Equifax data breach is, "very possibly the work leak of personal info ever." The breach, via a security flaw on the Equifax website, included full names, Social Security numbers, birth dates, addresses, and driver license numbers in some cases. Many of the affected consumers have never even directly done business with the giant consumer credit reporting agency.

A highly problematic solution

If all of that wasn't enough, ARS Technica still reports that the site created to alert users -  www.equifaxsecurity2017.com - was "highly problematic for a variety of reasons". For example, it was found on 9/8/2017 9AM PT that the site was leaking data:

Source: ARS Technica

Yes, an open endpoint leaking data on a website created to alert users that everything is supposed to be OK. It was removed a little after but you get it. The company that already had their reputation and perception damaged (because of insecure systems), was trying to calm everyone creating a website full of naive technical defects.

A highly problematic solution - Part Deux

Update: On Sep 17,2017, Brian Krebs reports that researches found an Equifax in Argentina having access to extremely confidential information configured with admin/admin; 
It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”
How critical is that? I think we're seeing a sad pattern here. Hope we don't see any other chapters in this history because the leak is already pretty critical.

A highly problematic solution - Part Trois

Update: On Sep 21,2017 - Yes, it can get worse! According to The Verge:
In a tweet to a potential victim, the credit bureau linked to securityequifax2017.com, instead of equifaxsecurity2017.com. It was an easy mistake to make, but the result sent the user to a site with no connection to Equifax itself. Equifax deleted the tweet shortly after this article was published, but it remained live for nearly 24 hours.
Gizmodo captured the tweets:

Sourcegizmodo.com

Pretty sure there's way more out there exploring the situation. The level of incompetence is astonishing!

Ethics

And then, if all of that wasn't enough, we get to Ethics. Bloomberg News reports that three Equifax managers sold stock before cyber hack revealed. In fact, Wolf Richter greatly summarized this for us:
Turns out, Equifax got hacked – um, no, not today. Today it disclosed that it had discovered on July 29 – six weeks ago – that it had been hacked sometime between “mid-May through July,” and that key data on 143 million US consumers was stolen. There was no need to notify consumers right away. They’re screwed anyway. But it gave executives enough time to sell 2 million shares between the discovery of the hack and today, when they crashed 13% in late trading.
The interval between the supposed hack and it's public announcement was enough to allow insiders sell 2 million shares. How can a company have its perception improved like that?  Probably not going to happen in the near future, especially after more and more bad news about websites misconfigured, data leaks and links to a fake site.

Conclusion

So, that's how security, reputation and ethics converge. Perception derives from those and is highly influenced by them. Security is hard. Ethics in the other hand, can and should be easy - but only if  we want to do it. It's about time companies do their best to protect their biggest asset: their customers, their data, their privacy.

And it all can start with us developers by writing safer, better code.

See Also

About the Author

Bruno Hildenbrand